The below comes from an Australian government site (formatting is mine, for readability):
“Your password must be a minimum length of nine characters, consisting of three of the following – lowercase (a-z) and uppercase (A-Z) alphabetic characters,
numeric characters (0-9) or
special characters (! $ # %).
It cannot contain any 2 consecutive characters that appear in your user ID, first name or last name.
It must not be one of your 8 previous passwords.”
That’s a serious looking ruleset. But does it actually make things safer?
I doubt it. What do you think?