Writing password complexity verifiers is pure joy. You start with a list of rules, there must be a number here, a capital here, a non-letter-or-number here, etc. Then, when the user tries to set a password, you tokenize the password into capital letters, lower case letters, numbers and other character groups.
You then iterate the rules over each token until one of the rules fails (which is guaranteed to happen for all but one rule for each token). Then you return an error message to the user describing the failed rule and the position at which the rule failed (but not subsequent rule failures, as those have yet to be determined and if they had stating them would ruin the fun). At this point the first rule is thus decided and we are ready to start the next attempt, thereby determining the next rule. If there is only one token then an arbitrary next rule can be selected.
As the number of attempts is arbitrary it needs to be set to some value. I find that four is the correct number for things that people don't care about and will abandon if password verification fails too many times. Things that people really need to access can usually be set to ten.
My goal is to hit forty.