When I tried to change my password to a twenty character pass phrase, I wasn't allowed because it was "too weak". Adding a single digit made it "strong." I am not particularly comforted by this.