The current password policy compliance mechanism isn't really all that 'smart' about how strong a password actually is, and it makes it difficult for system administrators to monitor / correct those who are not in compliance.
For example, if we would like people to have really strong passwords then the only thing we can do right now is set a decent length to the password (anything longer than 8 characters would really annoy people), and check off everything available (require uppercase, lowercase, number, and symbol).
But that means a password like "Pa55word!" qualifies as being strong, but something like "At lunch I like to eat 5 donuts" doesn't.
So is there any way to build in some logic to the password requirements that gives some sort of "weight" to each of those parameters, and then coming up with a total score for the password? Then as a system administrator, we just need to set the minimum threshold score. This is similar to how SPAM weights are assigned. For example:
Each character of the password = 2 points
If the character is an uppercase letter = 3 points
If the character is a number = 4 points
If the character is a symbol = 6 points
At least one uppercase and lowercase letter = 5 points
At least one letter and number = 5 points
At least one letter and symbol = 5 points
In that case
"Pa55word!" = 42 points
"At lunch I like to eat 5 donuts" = 93 points
So we'd just set the minimum threshold around 40 points. I don't think it would be possible to create a weak password with a minimum of 40 points using the parameters above - even if it were all lowercase letters it would be 20 characters long.