A better way to think about passwords

[Nicholas Cole]

Isn't the real problem that *any* policy (suggested or enforced)
reduces the complexity of guessing a password?  The moment you start
saying "pick three words separated by a space or dash" or "pick eight
random letters" or the like you make it easier to attack a password.
My employer insists on passwords that meet a defined and public set of
criteria.  I'm sure that in theory that actually makes them easier to
crack, since many millions of possibilities can be discounted.

In short: don't force a particular strategy on your users.  Much
better to explain to users the general problem, and then leave it up
to them to pick a password.

Nicholas