When users are created, or when a user changes a password, the password can contain letters, numbers and special characters like an exclamation point. And it can go up to 40 characters, so the user can make it very hard to decrypt by choosing a password that isn't too short. In fact, a long password is always harder to crack than shorter passwords. Regardless of using lower case or upper case and using special characters. Studies show that a difficult-to-type and hard to remember passwords can be even less secure because people tend to write them down. And it is easier to "read" the passwords from the key-strokes while the user is typing in the password. So for best protection, use easy to remember, easy to type but long passwords.
Require a minimum password length
Knowing all this, we want to encourage the use of longer passwords. Until now, we didn't require a specific length. But in the upcoming Release we will introduce the option to require a specific password length. Once you have set the minimal required length, this will not have any effect immediately. Only when a new users is created, or when a users changes the password, the new policy is applied and the user will be shown a message, notifying the user the required length.
Don't worry, the value shown here is no longer allowed. We found out ourselves that a maximum value restriction would come in handy. So for now the maximum value for the minimal required length is set to 16.