Humm, I'm thinking of ways to add password complexity to TeamMentor, and one interesting dilemma is that current model is based on only hashes being used.
Since when creating a new account, or changing the password, the real password is never sent to the server. there is no way to check (on the server) how strong that password is :) , right?
Maybe we could have a commonly-used-weak-passwords-mini-rainbow-table on the server to check those hashes against?
It looks like the only thing we can do, is to have client-side GUI checks (i.e. 'password too small', 'you must write it in Klingon', etc...) which can be bypassed by using the public WebServices APIs (also used by the GUI)