Exactly my point, I hate to be restricted with my passwords for meaningless websites.

"Sorry, but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin." (old joke)

But why? Your website is not important, do you know?

And if your website is that important (maybe it involves paid subscriptions or something). Then freakin' remind me of those restrictions when I'm trying to log in, so I don't have to think about all the character combinations I might have tried when signing up for your website.

Why does it matter how unimportant the site is? When you pick a password, either you pick something simple and totally insecure (password, 3jane, god), something not so weak but still easily crackable ("kLY8rT"), or you use a password manager.

The "not so weak but still crackable" intermediate level doesn't make sense. It's probably going to be reused (how many different 6-character random passwords are you going to remember), so it's just as easy to make it 8 or 12 characters to make it harder to crack when one of the sites inevitably has their password database stolen. If they're not hashing, of course, you're screwed no matter how long the password is.

If you're going to allow 6 character passwords, that indicates there's basically no cost to user account compromise, so why should there be any password testing at all? If a user wants to use the password "1" and gets hacked, that's their problem, they can create a new account after all. It also indicates that user's contributions to the site are probably of low value, since they don't expect to gain any social capital from their contributions that are worth protecting with a better password. If they think the post(s) have value but are going to abandon the account, they can just as easily use "1password" as their password instead of "123123".

It seems like an 8 character minimum and checking against a wordlist is a small price to pay for preventing naive internet users (there are a lot of them) from using horrible, not just bad, passwords.

> When you pick a password, either you pick something simple and totally insecure (password, 3jane, god), something not so weak but still easily crackable ("kLY8rT"), or you use a password manager.

No I don't.

Why would you let someone use a password you know is going to get compromised? Don't you think they're going to get pissed off once their account is compromised? Do you think it's more likely they'll blame themselves for using a weak password than blame you for letting them use it?

Perhaps, but if that user is hacked due to their weak password, while it would technically be the user's fault, it would be the site owner who would take the blame for it in the user's eyes. It's better to protect the user from themselves.

And "just" a commenting platform doesn't quite cut it for me, people can take their online reputations very seriously. How would it affect the HN community on a whole if tpatec or michaelochurch (insert your own respected user here) were hacked and their profiles destroyed?

You are looking at this from your point of view. Someone who values his online identity and (probably) already takes the required steps to protect it.

At the other extreme, my father commenting on the news couldn't care less if his account is hacked. All he wants is a fast and easy way (using the same password he always uses) to post on the Internet, with a relatively secure way to identify himself to other users on the site.

You need to sit next to someone who doesn't live on the Internet to realize how simple measure, such are requiring a minimum password, can really piss them off.

"Oh, my account got hacked... I guess I'll make another."

"God FUCKING DAMNIT this stupid website won't accept my password!"