[bdfh42]

You will probably get mixed opinions. I prefer that a "sign-up" page gives clear indications of the minimum standards required for passwords (although these should be inclusive and not exclude characters).

Validating the user name is always a bit of a problem - assuming you want unique usernames (and can't use an email address). It is nice to be able to offer some user feedback (with some back end validation via AJAX) but then again you don't want to give too much away about pre-existing user names.

On a "sign-in" page then there should not be any validation of the password at the client end - this should only be done at the server and if the user name/password combination fails then the user should be told of the failure but not which element failed validation. I also like to slow the response to an invalid log-in.