[rdl]

The problem is it's hard to measure actual entropy. You can make a reasonable approximation (vs. a dictionary, and looking at the total character set) -- then, if you can, display the strength in some graphical way (ideally with a list of suggested rules which get checkmarked as the passphrase satisfies them). Still. "one TWO 3 +our" has less entropy than this would suggest.

I generally set an absolute minimum of 6-8 characters, not equal to username, site name, or a set of common passwords (including "password"). Sometimes require one (or two or three) of uppercase, number, or symbol for short passwords (i.e. stop requiring it if it is longer than 12 characters).

However, when a standard (or company policy) requires something like DIACAP, I'll enforce it in the pw creator. The absolute worst thing is when policy changes, and an allowed password becomes disallowed -- if it just expires and needs to be changed, that's one thing, but I've had sites where my long, special-case-laden passphrase worked in some login routines but didn't work in things like the password update routine (!!!).

For anything internal, I consider passwords basically unacceptable as an authentication mechanism alone; there must be PK or some kind of two factor auth.