Frankly I would not allow weak passwords even in DEBUG mode, dev system can become production one by simply disabling DEBUG, but weak passwords will remain.
Regarding NIST recommendations - it also says “verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised”. If you can implement that recommendation we would be super-happy. Seriously, some reasonable rules are essential, what might work for us is probably:
- Min. pass length 8 characters
- Require 3 character classes for pass shorter than 16 chars
- Anything can go for >16 chars, but it’s better to avoid repetitive or sequential characters too
We do use SSO for users in our organization but we also have to support users from outside and for those users we use local Indico accounts. We do not want to complicate things by adding separate independent registration system, I think everyone will benefit if Indico security improves. It only takes one compromised account to create lots of problems for everyone and no one wants to deal with that. I still think that pluggable or configurable mechanism for pass verification might work better as different organization have different rules and it’s hard to satisfy everyone’s requirements.