I've been coding for over 20 years now! (WOAH, do I feel old)
I've touched just about every resource imaginable under the Sun (too bad they were bought out by Oracle)
Please do NOT set a 16 character maximum. Password managers will generate strong entropy random passwords, and devices like a Yubikey can also supply a 32+ character password.
And honestly, the upper/lower/number/symbol is based on old knowledge that really isn't great anymore. The test should be for entropy instead of a set regex. By limiting to 16 characters, you're hurting potential random entropy from the input, essentially limiting the possibilities of stronger hashing algorithms that exist today.
Security, especially around passwords, is a topic that should be peer reviewed by experts in the field, no single person should be coming up with the spec or implementation. This is exactly how all of these large scale exploits are happening.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Please do NOT set a 16 character maximum. Password managers will generate strong entropy random passwords, and devices like a Yubikey can also supply a 32+ character password.
And honestly, the upper/lower/number/symbol is based on old knowledge that really isn't great anymore. The test should be for entropy instead of a set regex. By limiting to 16 characters, you're hurting potential random entropy from the input, essentially limiting the possibilities of stronger hashing algorithms that exist today.
Security, especially around passwords, is a topic that should be peer reviewed by experts in the field, no single person should be coming up with the spec or implementation. This is exactly how all of these large scale exploits are happening.