Oh my. These might be the most sensible password policies I have seen
implemented since, I think, ever:
1. Must have a certain length.
2. Can not be one of the most used passwords.
3. Ah, and don't be so silly to repeat your user name.
4. That's all.
No made up rules like "must contain at least one special character
from a set of actually not so special characters" that force users to
make their passwords actually less secure.
Thanks a lot to the team working on this, and the code that backs this up!
Best
Thiemo
PS: Now we just need to know what the 100,001st most used password is. ;-)