If you make user jump through hoops when creating passwords, the users will inevitably employ very insecure methods to remember the passwords, like writing them down on a post-it note and sticking it to their monitor.<p>Force them to change it often? They will take your rule about using numbers, and just serialize their password: same password, incremented every time they are forced to change.<p>But in the end you are still better off, even if they do this. You may not solve the problem of local security (witness the post-it notes), but at least you won't have people hacking into your SMTP server and using it to relay spam, because someone used their First Name as a password.