You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.
I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You're right. While enforcing complexity does increase the search space, it also eliminates a huge search space (i.e., all the possible combinations that do not require the required complexity). It also isn't as easy to remember, which incentivizes users to store them somewhere else; this greatly reduces the effective security of the user's account. Sure, they're still hard to brute-force, but if you can obtain it out-of-band, there's no brute-force required.
I learned some techniques, too, from this post (cookie renaming and 403 -> 404). Great job, Banso!