Password set/change error reporting

[Ken Hornstein]

While I think you're dead-on about error codes versus error text, and I
know that opinions about password quality vary widely, I just can't
resist my own $0.02:

>Personally, I don't like to go into a lot of detail about
>why passwords weren't acceptable.  Telling users that
>passwords must be 8 characters or more is (I think) more
>or less a guarantee that most users will pick passwords
>that are *exactly* 8 characters.  I'd rather give them
>a less specific error, like:
>	Your password was too obvious
>than something that encourages people to stick right
>at the limit of the program's pickiness:
>	Your password must be 8 or more characters and contain
>	at least one non-alphanumeric character.
>( which probably guarantees most passwords will be exactly
>8 with exactly one non-alphanumeric... )

While I know there's a tendancy to just meet the minimum, judging from
the responses from our users I get the feeling that a very vague
message like "too obvious" doesn't give enough information.  I mean,
what does that mean?  I can see a user keep trying more and more words
("It thinks 'ootid' is an obvious password?") that aren't "obvious"
without realizing that what we really want is a longer password,
something with some numbers or punctuation, or a non-dictionary word.
I think being a bit more descriptive like "too short", "not enough
non-alphanumeric characters", "found in a dictionary" are better.  But
the nice thing about returning an error string is that I can have it
my way, Marcus can have it his way, and we can both interoperate :-)

--Ken