See all my other comments on this thread. Why does your mother use LastPass? How did she learn about it? How about the other 99% of the people? How do you make them use LastPass?
> Tell the user: your password must contain the following word: “hzru”
Enforcing this kind of thing on the masses won't make for stronger passwords, it will just have them opening up notepad.exe and saving this sites too-hard-to-remember-because-it-has-too-many-rules password on ~/Desktop/logins.txt
Now you'd have to prove that having passwords stored in a file is worse than massive password leaks. I suspect that it isn't. People already carry laptops with browsers that save passwords automatically. Losing your laptop already implies a password-change-fest.
Are you implying that browsers save passwords in cleartext? A quick search indicates that all major browsers encrypt passwords to user accounts, and some give the option of a master password as well.
They do encrypt passwords but that doesn't matter. You can still log in to their accounts and do anything you want. And if for some reason you really do want the actual passwords you can obtain those too, obviously they get decrypted to send to the website you're logging in to so just capture it at that point. Normal people don't configure master passwords.
Ok, I'll put it another way. I'm some extremely large number percent more likely to be an early adopter of your product than my mother. I will never, ever sign up with such a restriction on my password.
I don't care what we do about the rest of them. Make a bigger black list, require more complex passwords, implement better protections against brute force.
The easiest one (to use and implement) is two-factor auth, but many people lack smartphones still so it's hard to make that the easy call.
If you want to MAKE people use secure passwords you assign them a random password and don't allow them to choose their own. They'll write it down on a piece of paper making them pretty damn secure against almost anything except a physical break-in.
Enforcing this kind of thing on the masses won't make for stronger passwords, it will just have them opening up notepad.exe and saving this sites too-hard-to-remember-because-it-has-too-many-rules password on ~/Desktop/logins.txt