<brion> "aaaaaaaaaaaaaaaaaaaaaaaa" ain't secure <TimStarling> "password" isn't secure either, and that's 8
It seems to me that a pretty secure approach would be to have the system give the user his 8-12 character password, rather than letting him pick a password. Then we can be assured that he's not doing stuff like "p@ssword" to meet the complexity requirements.
Well if we are going to go down that road, requring public/private key pairs would also be more secure. However i doubt either would be acceptable to users.
-bawolff