This is a major change from the original NIST guidance that MS & dog previously followed. It turns out the author of that guidance admitted not so long ago that it was basically rubbish: just like the half dozen or more boxes that security managers have been mindlessly checking since 2004 (to be sure many of those misguided policies had become canon long before being enshrined in NIST's standards). It was the snakeoil press that made millions (billions?) for the producers and actors engaged in over a decade of security theater. The independent genius and intellectual courage of XKCD's author can only be fully appreciated against that background. https://www.engadget.com/2017-08-08-nist-new-password-guidel...