My company considers one of its systems "more secure" because they enforce a policy that all passwords must contain 8+ non-space characters. The implementation? "Must be 8+ characters; must not contain spaces."

I've expressed my view on this (and similar password-related policies) many times, but apparently it's all simply a box ticking exercise for pen testers...

There are much better ways to enforce this validation. Shoot me an email if you'd like any assistance.

Also, https://github.com/dropbox/zxcvbn is amazing.

I wonder why my searches never turned this up. I ended up making my own: https://github.com/alexbecker/password-strength

That looks really cool - I haven't seen it before, thanks!

The "offending system" I mentioned, however, is our old PHP application that I don't really work on. (I mainly develop much more modern Rails stuff!)

Like I said, the primary concern of the company is simply to keep pen testers happy - and their criteria for a "secure" website is, in my opinion, often misleading or even downright wrong. But if I ever get the chance to genuinely improve the system, I'll definitely look into using this.

Interesting. We'll get that fixed.