Is it bad practice to publish explicit details about the strength of a password?


The entropy (number of possible passwords) you lose to those requirements is trivial compared to the number of people who would otherwise use one of the 100 most common passwords out there. So no, there’s nothing wrong with publishing the requirements in detail, not if they’re any good.

Of course, that last clause matters. Most of the requirements in that list are worthless. The only ones, other than the length (which is on the short side) that I’d consider really good are the “… or commonly used passwords” and maybe “… commonly used password character patterns” and anything involving names. Depending on how those rules are implemented*, they might actually enforce decent passwords. Otherwise, the most common password on that site is going to be “Password1!” (10 characters; one each of upper, lower, digit, and symbol; no long strings of the same character; no names). Next most common will be various common words (or names) “encoded as text/1337”, as a colleague once described it (consider “$tackOverfl0w” as a password for this site, which also potentially fits all the requirements in your picture, or the initial example in this XKCD.

The requirements for different cases, numbers, and symbols are particularly egregious, because they make it hard to use passphrases (see Diceware or the solution XKCD suggests instead in the link above). For very short passwords (less than 12 or so characters) they might do more harm than good just by slightly reducing the likelihood of people choosing the same substitutions, but those substitutions add very little security even if chosen at random (and they’re much worse than random; in practice people use the same ones) so they’re much worse than just using a better way of generating a password to start with.

* I once saw a service – whose entire purpose was doing secure logins for other sites – that claimed to offer a “prevent the use of the most common passwords” feature but failed miserably at it. Their “most common passwords” list was too short – only 10,000 passwords – and it wasn’t even the 10,000 most common passwords that fit their other requirements. In fact, not a single password on the list fit their other requirements so the entire feature was worthless as it would never rule out a single password candidate.