I recently had to log in to the website of an Australian government agency with which I deal from to time. To my surprise, I was presented with a message saying that my password had expired and that, under a new security policy, password expire every 90 days, and they must contain a mixture of alphanumeric and special characters (this is called a composition rule)

You don’t need to be a cybersecurity expert to know that this is nonsense. Comics like Xkcd have been mocking special character passwords for years. As is well known a long but easily memorable string of dictionary words like “thisgovernmenthasnochanceofwinning” is much harder to crack than a shorter [email protected] with obvious substitutions like @ for a (this password would meet the conditions I was asked to satisfy).