I get that what comprises a good password is a bit of a moving target and not everyone agrees – just run a password through a number of checkers to see how it is rated differently depending on the criteria.
But a couple of things seem like safe bets and are widely acknowledged – length (as a method of achieving entropy, famously covered here: https://xkcd.com/936/), and size of character set, which doubles the number of possible combinations with each additional character.
So WHY DEAR GOD do some sites insist on limiting passwords to 8-16 characters, and/or disallow special characters? One example is WA state’s GoodToGo toll road website, which does both.
This feels like it’s one of three things, two of which are bad:
Developers using antiquated frameworks that impose this last-millenium restriction;
Developers still subscribing to the theory that long passwords are bad because they are hard to remember;
Some cutting-edge understanding of password security that makes this an actual best practice that I have just never heard of and can’t comprehend.
I’m hoping that this is just fading away, but I keep running into it. We need a public shaming site that lists sites that do this, to force them into adapting reasonable password form practices.