"Your password needs to contain a non-alphanumeric character and two upper-case characters."
Most people probably have seen such an error message before when trying to change their password somewhere. And the usual reaction ends up just adding some special characters such as exclamation marks at the end of the password.
The story behind password policies
In 2004 the National Institute of Standards and Technology (NIST) published a guideline for secure passwords in "Special Publication 800-63 Version 1.0". Stating rules such as:
"composition rules that typically require users to select passwords that include lower case letters, upper case letters, and non-alphabetic symbols"
Ultimately, software vendors followed suit by adding absurd configuration flags inside their systems, allowing you to configure how many unique characters of which type are required. Enterprises saw this and now started demanding it from all possible vendors. If your software didn't support it, companies would just now buy from you.
Realistically, this didn't increase the security level of the system. Instead of "password", people now would choose "Password1!".
In 2017, NIST realized this and published "800-63B", moving away from recommendations of regular password changes and password composition requirements. They were instead advising towards checking against breached or weak passwords and a minimum password length.
How Gatekeeper uses password policies
We believe in making software as easy to use as possible and coming with sane security defaults. There is barely any valid reason why organization A would require one more special character than organization B.
In terms of password checks, this means that Gatekeeper will come with a hard-coded password policy. There is no configuration required on your end, and Gatekeeper will automatically follow current best practices.
Gatekeeper will make users aware when their passwords are not deemed secure. Such as by being not long enough or having been breached earlier.
User enters a too short password:
User enters a breached password:
User enters a secure password: