Quick find code: 14-15-577-66077109
Nice simple answer.
Out of the millions of millions of names and passwords stolen you are worried about 1. If it's going to happen it happens. No matter what security you have it will happen.
Stop worrying. Why lose sleep over it. Comprehensive Account Security
You only have yourself to blame if your password isn't secure enough.
Not to mention our passwords aren't even case sensitive so there's no point even worrying about it because, even if you do uppercase, lowercase and numbers (symbols have never worked: ß┴Ý═Ú╔ˇË etc.), if you type your entire password to log into the game in caps you can still log in.
It's been this way for years.
And, what's more, there should be no reason for it (other than convenience for Jagex), because they shouldn't be storing the passwords, they should be storing the result of a cryptographic algorithm based in part on the password and in part on a secret 'salt' value. The fact that there are password restrictions suggests this may not be the case, which is a concern given it flies in the face of best security practice.
Thunder Jinx is actually correct in essence, but somewhat disingenuously so, as having a long passphrase and the use of multiple character types are not mutually exclusive and should be combined for optimal defence.
Nobody expects to get buggered, but why make it easy. Simple things, like complex and long passwords, are easy to implement but significantly increase the difficulty/cost of an attack. Be that something low-tech like some guy trying to run multiple guesses (which the RS applet does prevent against to its credit) or something high-tech, like some guy who got a hold of the password list trying to crack/reverse engineer the afore-mentioned cryptographic algorithm.
That said, it's been this way for years, Jagex clearly doesn't give enough of a shit to address it, for whatever reason (and they've never given one), so OP, the best thing you can do is use as long a password as is practical and make sure to implement 2FA (which doesn't apply on the website, incidentally). Also take every precaution to protect your associated mail account, as if that's compromised it can be used to compromise your RS account too.
Rant over - I work in this field and have done for some 10-12 years. General stupidity keeps me in a job, so I should encourage it, but the idealist in me still finds it tiresome when simple protections are either refused or aren't provided.
19-Jan-2019 12:14:24 - Last edited on 19-Jan-2019 12:18:42 by Moneybucks
RS passwords are not case sensitive
I have a username login on this account, so I shouldn't see any need to worry. While my accounts are secure, there are tons of accounts that are not. If one were so inclined they could potentially use these lists maliciously on older accounts and scap up a bunch of rs3(lol) rares. The older lists are entirely more concerning, because older breaches likely have weaker password standards and this potentially brings one's password closer to those able to be used here.
Just an fyi for any other readers: Pass phrases are very popular. It's using a phases instead of a word or two for your password, and it's often followed up by partitioning the words, scrambling them a little bit, and replacing some of the letters with numbers. Some places will buff it up by front-loading the phrase with a pin or even a token. You could do something as simple as:
(arbitrary pin example 5640) I love my cat
i lo my ca
Resulting in 5640il0myc4
It's a non-sensible password to anybody else, but it's easy for you to remember a pin and a meaningful phrase.
I don't doubt its imperfections, but it's good enough and practical. Putting locks on your doors wont make it impossible for people to break in, but it adds time and effort, and that's generally good enough to keep people out. You're playing a chance game and you want the odds to be in your favour.
Just make sure you have a bank pin and authenticator.
I actually need to get an authenticator for my email.
I think the issue lies moreso in the fact that people aren't regularly changing their passwords on a daily basis, but I agree with you OP - case sensitive/symbol enabled passwords would be a nice addition.
Oh, and Authenticator is amazing. Quest Cape Skill Requirements
The Official Guide Directory