[Kavelach]

Once I was asked to implement a system that applied password rules with a few heuristics. If the password was under 12 characters, then it required numbers, special characters and so on. Over that, it required only a number in it. If you went over 16 (or 18, I don't remember exactly) characters, there were no rules. The front-end explained how the whole system worked and gave the user tips on how they can make their password more secure, heavily promoting phrases as passwords. My friend who is still involved in the project told me a few months ago that they send out satisfaction forms to users, and some users mentioned that thanks to the service they now know how to prepare passwords that are safer and easier to remember.