[kbart]

" I know Google is planning on dinging sites that don't use HTTPS, is it possible they could ding sites for poor password policies?"

How they gonna do that? Do you expect Google to audit every site in their search ranks?

[oneeyedpigeon]

Couldn't Google just auto-register an account with a known good password, and penalise the account if it fails? Someone else mentioned improving the http authentication 'api', which would definitely help in this regard; until then there are drawbacks to the auto-register approach including things like captchas. Sites would have to explicitly allow the Google bot to bypass them.

[Qantourisc]

The same way to index websites: with web-spiders. They would need to write new code for this though. Also for HTTPS they also had to write new code.

[kbart]

How do you check if password is salted and hashed correctly afterwards? There's not much use of strong passwords if they are stored in plaintext anyway.