I meant that the rules I propose combined with a minimum length (be it 6 or 8 characters) should suffice.
Together with a policy that does history checking, lockouts and
expiration we would have a secure enterprise setting, right?
Off course I agree that fds should setup reasonable default
values which can be upgraded or downgraded by the directory admin.