The HN audience is mostly not completely incompetent in password matters.
But by and large, people have been trained into terrible habits concerning passwords, and they have no idea how to make a halfway decent password. I tend to think a good baseline for most sites is to use zxcvbn and reject passwords with score 0 (which means, guessing is expected to take less than 1,000 attempts). That way you’re not being particularly onerous, but you are at least blocking useless passwords.
Still, there’s a space in some services for allowing no password. NewsBlur allows a zero-character password, for example, and that’s fine. I’d much prefer a thing to allow no password if possible, deny useless passwords and allow anything else (with hints about weaknesses), than have rules about character classes and mandatory inclusions.
But by and large, people have been trained into terrible habits concerning passwords, and they have no idea how to make a halfway decent password. I tend to think a good baseline for most sites is to use zxcvbn and reject passwords with score 0 (which means, guessing is expected to take less than 1,000 attempts). That way you’re not being particularly onerous, but you are at least blocking useless passwords.
Still, there’s a space in some services for allowing no password. NewsBlur allows a zero-character password, for example, and that’s fine. I’d much prefer a thing to allow no password if possible, deny useless passwords and allow anything else (with hints about weaknesses), than have rules about character classes and mandatory inclusions.