It should be mentioned that the NIST reference Jeff sites is only a draft, started last year. https://pages.nist.gov/800-63-3/sp800-63b.html

It's a great one. Not only does i recommend against composition rules, but

> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)

Oh, if there is a sin against passwords it is forcing quickly memoizable (i.e. simpler) passwords.