And even with that base set, even if a computer could theoretically try all trillion possibilities quickly, it’ll make a ton of noise, get throttled, and likely lock the account out long before it has a chance to try even the tiniest fraction of them

One small correction - this just isn’t how the vast majority of password cracking happens. You’ll most likely get throttled before you try 5 password and banned before you get to try 50. And it’s extremely traceable what you’re trying to do. Most cracking happens after a data breach, where the cracker has unrestricted local access to (hopefully) encrypted and salted password hashes.

People just often re-use their password or even forget to change it after a breach. That’s where these leaked passwords get their value if you can decrypt them. So really, this is a non-factor. But the rest stands.

While this comic is good for people that do the former or have very short passwords, it often misleads from the fact that humans simply shouldn’t try to remember more than one really good password (for a password manager) and apply proper supplementary techniques like 2FA. One fully random password of enough length will do better than both of these, and it’s not even close. It will take like a week or so of typing it to properly memorize it, but once you do, everything beyond that will all be fully random too, and will be remembered by the password manager.

First: They did actually end up removing this and making it configurable, check the bottom of the page. In a vacuum, the idea to stop cut-and-clear racists and trolls from using Lemmy is not something that’s too controversial. Sure, they are being hard asses about changing their mind and allowing instance owners to configure it themselves (and I’m glad they changed their mind). But there’s a big overlap between passionate and opinionated people, so they have to be at times to ensure a project doesn’t devolve into something they can’t put your passion into anymore.

Second: I mean… what do you expect? In the issue above they actively encourage people to make their own fork of Lemmy and run that if they don’t like something from the base version of Lemmy, so I kind of would assume they do as they preach. Instance owners also have the option to block communities without defederation. Lemmy.ml is basically their home instance. If anything this is a reason not to make an account on lemmy.ml, but as long as that doesn’t leak into the source code of Lemmy, who cares?

It’s because the current version has nothing wrong with it. If the Lemmy devs should choose to sabotage the Lemmy software, you’d be surprised how easily that happens when it pisses off all the instances and their owners. Instances will simply refuse to upgrade. And like most things, eventually some fork will win the race to become the dominant fork and the current Lemmy devs would be essentially disowned. Different forks also doesn’t necessarily mean API breaking changes, so different forks would have no issue communicating (at least for a while).