Reading these comments takes me back. Sat in a lot of security meetings, briefings, and presentations. Passwords are only one part of security. Security in Depth was the term I heard a lot. Basically now min 8 characters is accepted. Depending on your system max 15/20/25 is normal. Make it too complex and people write the passwords down at their pc, because that is where they use them. Make it to simple and you get a lot of passwords can be easily broken... I have always found it easier to keystroke log, etc, never had to do the hash thing LOL. You would be surprised how many systems used to send passwords unencrypted.

The why should be asked, why are you asking for a password? I always have a bit of fun here, why ask for certain info? If its sensitive and you don't need it don't ask for it, is the best route. Its only when you start securing certain types of information that you start to question the need for more complex passwords.

Paraphrase is nice, I have found that without training it doesn't work, also if you asking people to login every time they have left their computer, even 8 characters sucks.

Be reasonable and think of your clients.