Because that would require a singular, universal authority to come up with such a thing and no such thing exists. And it is unlikely to ever exist because there isn’t universal agreement on what the parameters for passwords should be. In fact, just about the only thing that is agreed upon with regard to passwords is that they suck and should be replaced with something else.

And even if there was a “universal parameter”, people wouldn’t be forced to learn it or use it.

Wouldn’t it also make passwords easier to crack if they all followed the same rules?

> Edit: Upon further discussion in the replies, with many good points being made, I realized my real question should have been: why do some sites set password parameter limitations? I should be able to input a 25-character complex passphrase with letters, numbers, special characters if i want whether it’s for my Netflix account or Bank account. What I don’t understand is my bank being like, “Nah, you can only use 12 characters, and you can’t use @“. That’s my frustration, and was more my questions because I figured there was a technical reason behind it likely.

Sometimes there are technical reasons. For instance it’s going into some sort of SQL query, and they want to make sure it won’t screw it up somehow. I can expand on this if you like.

Sometimes it’s customer service. You don’t want to deal with people who set up their password on a Russian system and now can’t figure out how to type that on a Mac with a Spanish keyboard. The same goes for unusual characters. On some layouts it’s very easy to get an € or a £. On others you’d have a hard time. So forbidding anything strange reduces the likelihood of somebody running into such issues.

Sometimes it’s some ancient system sitting in the middle that hasn’t been updated in the last 3 decades, and so you have to play by its rules.

And often times it’s just some random standard or “best practice” that’s been inherited from somewhere else and nobody bothered to think about much. The dev just had it burned in their brain that passwords top out at 8 characters on some earlier project, so 8 characters is what gets written into new code.

There are pros and cons for having that. But I would say the reason it does not exist is because there is no compatibility issue. If different websites used their own request protocols the WWW just would not work in practice, so we all use HTTP. The only reason to create a standard for passwords is because it’s might be convenient, but it does not solve any real problems.

A common problem already is for users to use the same password for every site. We’ve all heard plenty of password as the password stories. So it actually makes sense to have separate parameters for each site.

It’s not to protect people that are already security concious. It’s to help prevent the masses from losing all their accounts just because the password for one has been compromised.

Edit: Others have raised the space limitations of password databases as to why they don’t all allow super long pass phrases.