“It’s hard to make good rules, so we shouldn’t make rules” ?
This is the second time in as many days that I’ve seen high-level members of the Discourse team spreading major misconceptions about security. I think there are some general things you need to re-think and I hope you will take that as constructive feedback.
Also, this specific suggestion isn’t coming out of nowhere: we recently had a user account get compromised because the username was
myusername and the password was of the form
Granted this was a ClassicPress site (same login structure as WordPress) so it is much more “low-hanging fruit” in terms of bots etc. However this is something that bots are looking for.
Password rules can’t prevent every kind of bad password out there, but they can go a long way.