I agree with all of the individual points you make, but you’re missing the big picture here. 95% of the time when I find myself needing to make a password, it’s a site where I just want to register as quickly as possible so I can make an anonymous response. Like this!
I see that for “Discourse”, you need to provide an email address (but “mailinator.com” is blacklisted, requiring me to use one of their hundreds of aliases) and password. In essence, it’s kind of like a big captcha. You just need to make it painful enough for me to register that it’s not going to attract stupid Youtube-level comments.
The password rules are one piece of that test. Requiring an email address is another. Blacklisting “mailinator.com” is another: it blocks anyone who can’t be bothered to scroll down a screen on the Mailinator homepage.
StackOverflow used to make it really easy to get started: you didn’t need to provide an email address, or even register at all. If you wanted to ask a question or provide an answer, you just did it. There was nothing requiring a person to register, ever, and many of us used it that way. Then the site got too popular, I assume, and so they needed to add these captcha-like methods to make it harder for people to use.
The problem is similar to a captcha, but not exactly the same. A captcha tests if you’re a computer or not, as quickly as possible. What you want is a test to tell if the user is going to provide an intelligent and reasonable comment, and it does that by being as slow as possible (lots of steps). But if that test could be quick, life would be better for everyone. Imagine if StackOverflow could go back to not requiring registration, but still somehow keep the trolls out.
I have no idea how to do that, but that’s the dream. Until then, we’ve got “register + password rules + email confirmation + other junk”.
Maybe something like an Oauth-style authorization system that lets me re-use my “karma” from all sites I’ve ever commented on, but also keeps each one isolated from each other.