oh no, I misspoke, I meant, what is the problem of passwords being shorter if you can limit the number of requests in your API, so what if a password lives in a smaller random space if, as a malicious attacker you can only check 1 each second?, the goal is not to have more possible permutation, the goal is that it takes a long time, having a lot of permutations is the only choice for offline encryption because you can't control how fast an attacker can check, but with a live system you can, you just need to restrict the attempts, in number of tries or time between them.
I also wonder why or if I should force users to have certain degree of security, why can't a user be able to have an unsafe passwords?, if it will only affect themselves I think is their choice, not mine. Now, if that user could affect others, like someone with an admin permissions, of course, you may want to force them, but what if I don't care about my emails or YT, why should I be forced to have a long password, are Google gonna check if I have my passwords in post-its in my monitor?, check that I haven't give them to anyone? why should they care?.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
oh no, I misspoke, I meant, what is the problem of passwords being shorter if you can limit the number of requests in your API, so what if a password lives in a smaller random space if, as a malicious attacker you can only check 1 each second?, the goal is not to have more possible permutation, the goal is that it takes a long time, having a lot of permutations is the only choice for offline encryption because you can't control how fast an attacker can check, but with a live system you can, you just need to restrict the attempts, in number of tries or time between them.
I also wonder why or if I should force users to have certain degree of security, why can't a user be able to have an unsafe passwords?, if it will only affect themselves I think is their choice, not mine. Now, if that user could affect others, like someone with an admin permissions, of course, you may want to force them, but what if I don't care about my emails or YT, why should I be forced to have a long password, are Google gonna check if I have my passwords in post-its in my monitor?, check that I haven't give them to anyone? why should they care?.