NIST proposes barring some of the most nonsensical password rules

I would always just create 1 password and append a number and it's special char, cycling from 1 to 0; like 1!, 2@, 3#. Never stayed at a place long enough to go higher than 7 or 8.

I never gave a fuck about doing this because it's the companies fault for applying stupid policies. Whenever I've been allowed a password manager, they got real security instead of malicious compliance.

I feel like it's not a big impact on security if I use 2fa anyway. (Base password)(month)(year) is fine for me 😅