PASSWORD SECURITY IS COUNTERINTUITIVE:
“Your password must be 8 characters & contain upper, lower, digit & punctuation characters” => “Your password is now 2.14x easier to guess via brute force.”
We’re not joking; the number of 8-char passwords with the above constraint is 2807657387458560; the number without constraint is 6095689385410816.
The constraints slash diversity by more than 50%
source for proof; compute all possible permutations and reject those which don’t satisfy the constraints, and then multiply out:
Anyone who believes that 2.8 quadrillion passwords (2,807,657,387,458,560) is “a lot” needs to be aware that @hashcat runs at billions of hashes per second, nowadays.
At 6bn hashes per second, you exhaust the space in 5 days & 10 hrs.
Bitcoin 
Ethereum 
Cardano 
Polkadot 
Litecoin 
Uniswap 
Chainlink 
NEO 
Monero 
Dash 
Synthetix Network Token 
yearn.finance 
Ontology 
Waves 
Golem 
Numeraire 
Augur 
BEAM