I've written into several companies in the past saying "your password policy are bad for __ reason", and they always of course write back saying basically "our security team doesn't care, shut up". There've been quite a few times I've cancelled accounts right after signing up because of just how absurd they were (for instance I believe Trade King forces you to click type your password with the mouse on an on-screen keyboard just in case you have a keylogger malware).
It's great that there's now a "right answer", and it seems to be based on some solid research about what actually helps and what doesn't.
In a similar vein I wish there were somehow a standard for http login and change password requests. Right now password managers are pretty hit or miss about whether they can actually fill a form and log you in, sometimes it just can't find the right field, sometimes there's a javascript field check of some sort so you have to click into the field after the password manager fills it before you can submit, etc. Having some kind of a standard would let you more reliably be able to automate logging in, rotating all passwords (at least on accounts without MFA), etc.
There's not "Now a 'right answer'" NIST standards have been around for a while; the companies you've mentioned are just even more arrogant idiots than you originally thought :-)
Given that password autofill built in all browsers, it should be part of HTML, IMO. Something like <form login><input type="text" name="username" username><input type="password" name="password" password></form>
It's great that there's now a "right answer", and it seems to be based on some solid research about what actually helps and what doesn't.
In a similar vein I wish there were somehow a standard for http login and change password requests. Right now password managers are pretty hit or miss about whether they can actually fill a form and log you in, sometimes it just can't find the right field, sometimes there's a javascript field check of some sort so you have to click into the field after the password manager fills it before you can submit, etc. Having some kind of a standard would let you more reliably be able to automate logging in, rotating all passwords (at least on accounts without MFA), etc.