I've been changing passwords around lately, something that I like to do every once in a while to keep myself on my toes, and I have to say that I am still shocked to see some of the requirements in place by certain places. More than 1 financial institution has password limitations that actually weaken what you can do!
For example, here's the policy from American Express
# Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
# Contain no spaces or special characters (e.g., &, >, *, $, @)
# Be different from your User ID and your last Password
Seriously? I'm limited to an alphanumeric password no larger than 8 characters and no smaller than 6? I understand that they have other limitations in place to prevent a computer from brute-forcing the password, but I can't help but think these requirements are unhelpful and unnecessary.
It's time for all webmasters who store passwords to make sure that these silly limitations are removed. Here are some policy recommendations:
Special characters and spaces should be allowed and even encouraged.
Minimum password length enforcement makes sense, but if you're going to have a maximum make sure it's at least 16 characters
All passwords should be encrypted and salted in your database
Require 5-10 seconds in between each failed login
Finally, provide your users with an password strength indicator so they know if they've selected something easy to break. Microsoft actually does a great job of this. Assuming you can find how to change your password in hotmail, they provide good feedback when you do it. They even have some recommendations of their own you should look at..