Edit: @Successful_[email protected] solved it. It says "one special character". Not "at least one".
Well now. When we've been enforcing password requirements at work, we've had to enforce a bizarre combination of "you must have a certain level of complexity", but also, "you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you". Which just strikes me as a way to piss off our users, but security team say it's a requirement, therefore, it's a requirement, no arguing.
"One" special character is crazy; I'd have guessed that was a catch-all for the other strange password requirements:
- can't have the same character more than twice in a row
- can't be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
- all whitespace must be condensed into a single character before checking against the other rules
We've had customers' own security teams asking us if we can enforce "no right click" / "no autocomplete" to stop their users in-house doing such things; I've been trying to push back on that as a security misfeature, but you can't question the cult thinking.