Let me tell you a story about passwords.
I don't have a visible disability, unless you count getting older and random things hurting all the time. I review websites every day though and I've created more accounts than I dare remember. I didn't always use a password manager, so I had to come up with some way to remember passwords without writing them down.
My technique involved having a set base for the password plus something unique for every website. The base was just a random word that meant something to me, where I replaced some letters with numbers and uppercased every other letter. I would then tack on something unique for every website, like the last four letters of the URL, but instead of the letter, I'd use the very next letter on the keyboard. So for google, I'd get "phar" instead of "ogle," since the letter "p" was right after the letter "o" on the keyboard, "h" was after "g" and so on.
I thought I had every potential password requirement checked off with my technique.
Until one day, I came across one that completely tripped me up. Twice!
So here I was setting up my account. The password requirements were pretty standard. Or so I thought. They wanted at least 16 characters, one uppercase, one number, one special character. Simple enough.
I had my "Butt3rFly" base and added the four letter suffix. Sweet!
But no.
That's only 13 characters.
Okay, no problem. Let me add three more. I'll go with the last seven letters as the suffix. But no luck again. The URL was only six letters long. Okay, I thought. I'll just add the number 1 at the end.
Okay. That's 16 characters now.
Error again.
Whoops, I forgot the special character.
Okay. Let's replace the 1 with "!". It's just 1 with a Shift.
That worked. I was in.
I did what I had to do and then logged out like a good little boy.
Three weeks later I had to go back in. Of course my brain forgot the additional things I added to my password creation technique.
Okay, no problem. Let's reset it. We all forget passwords, it happens. I hit "reset" and went through the whole thing again. I used the same technique, added my suffix, made it long enough, added a special character and pressed Reset.
Error. "Your password is too similar to your current password."
"I know!" I screamed. I just don't know what the stupid suffix is any more because your requirements didn't match my mental model of how my passwords looked like.
Now before you say anything about how insecure all this was, this was well before password managers. Now I know better and I just let the password be auto-generated and don't look twice.
The problem is that even nowadays, not everyone uses a password manager. They reuse their passwords. And if some requirements don't match, they get stuck. They will end up forgetting their password every time.
And now add on top of all this something like dyslexia or tremors. Or maybe ADHD? Or maybe they're using a password manager, but the website disables autocomplete and now they have to type 16 random characters made up of random lowercase, uppercase, numbers and special symbols.
All that security is trying to protect us from ourselves and from others.
But when is too much security actually too much security?