There are many techniques to enforce strong passwords on website:

• Requesting that passwords pass a regex of varying complexity
• Setting the password autonomously, so that casual users have a strong password
• Letting passwords expire
• etc.

On the other hands there are drawbacks, because all of them make life less easy for the user, meaning less registrations.

So, what techniques do you use? Which provide the best protection vs. inconvenience ratio?

To clear things up, I am not referring to banking sites or sites that store credit cards. Think more in terms of popular (or not-so-popular) sites that still require registration.

I don't think it's possible to enforce strong passwords, but there are lots of things you can do to encourage them as much as possible.

• Rate each password and give the user feedback in the form of a score or a graphical bar, etc.
• Set a minimum password score to weed out the awful ones
• Have a list of common words that are either banned, or tank the password score

One excellent trick I like to use is to have the password's expiry date tied to the password score. So stronger passwords don't need to be changed so often. This works particularly well if you can give users direct feedback about how long the password they've chosen will live for (and dynamically update it so they can see how adding characters affects the date).

Don't enforce anything ... if you are not protecting financial information or something equally important, then don't make the user choose a strong password.

I have the same weak password on a whole load of sites that require registration for forums, etc. I don't really care if someone guesses it and can post messages as me (and don't think there is much motivation for someone to do so). What I can't do is remember different strong passwords for a dozen sites and don't really want to use another piece of software to manage them for me.

The best compromise would be to show some kind of feedback to the user on how strong the password is (based on whether it is a dictionary word, number of different character types, length, etc).

Why enforce it?

I found that a "password strength meter" (a bar indicating password strength as you type) is usually a good non-intrusive measure. It makes those who care about security to have a guilty conscience about password weakness, yet does not frustrate those who do not care as much.

Also, there is an insightful essay on why periodic password change policy is a bad idea with today's threat model.

It's been my experience that it depends really on the type of site, as you said.

If you are creating a bank or financial website then users typically understand if you have a more secure password, since their personal data may be at risk.

However for sites that typically don't contain a lot of personal information a simpler password will be fine. They may be less prone to hack attempts, and wouldn't get anything worthwhile anyway.

I've also found that most people also seem to have a couple passwords they use often. One being complex, and another being simple. So requesting they use a complex password usually won't keep people from registering.

I've never found expiring passwords to work successfully. As I said before, many people already have a set couple of passwords they use often, so asking them to go outside of this just for your site may make them not want to come back.

The best way really depends on your site and what you are using. But the ideal way is to do as much on the client side as you can before they submit it. Using RegEx is a good way. If you can make them not have to submit the form again, that is ideal.

On letting passwords expire, there are two notable problems with the practice:

• Users find it more difficult to remember their current passwords, and so they are more likely to do silly things like write them on a post-it stuck to their monitor.
• Users don't generate a new, strong, unrelated password on each attempt. Most of the time they use some scheme to generate a password similar to their old one. Therefore, if an attacker gets an old password, it's still pretty easy for them to deduce a newer one.

EDIT: Which isn't to say I'm against the whole idea, but just that this needs to be considered along with other factors.

There's an Ajax tool, PasswordStrength, that will give the user an idea if their password is any good. I like it because it doesn't have to prohibit the creation of a password.

http://www.asp.net/AJAX/AjaxControlToolkit/Samples/PasswordStrength/PasswordStrength.aspx

I've never seen this done, but it seems like it would work wonderfully: the password creation page could have an expandable list of the,say, the 50 most common passwords, forcing the user to scroll down a bit before typing in their password. This, combined with Checkers' suggestion, would do much to prevent careless choices.

However, solving the problem of preventing password reuse... no clue.