I don't think the bulletpoint list of requirements is that relevant anymore; instead, I'd give a live updating password strength indicator and reject anything "weak" or "medium". That way, the user can themselves decide on symbols and letters or length. A check on commonly used passwords should also be included of course.
Agreed. And even if you're only going to judge the strength, at least show what the user can continue to do or has already done to strengthen their password.
I wrote documentation for software that replaced set rules with a library that would determine the 'strength' of a password and only accept strong passwords. My feedback was 'this is bullshit, I've have 40 passwords rejected and I don't know why. How is the non-technical user supposed to pick a password when the rules and tests are secret and the doc person themselves can't use it?'
