Re: Microsoft what?
The Microsoft post reiterates that the old beliefs about passwords are already obsolete
Whilst MS's policy decision is probably a good first step, it is however, already obsolete!
What is being overlooked is the volume of information that is now out there. Whilst people are focused on the 'password' we should perhaps step back and ask what else is being taken? usernames, email addresses, security question responses, etc.
From the various articles over the years, it would seem that if you know where to look, you will be able to pick up a password list containing email addreses/usernames and passwords. In todays world of 'big' data these datasets aren't particularly big, but are getting sufficiently numerous to be worth mining on a per username/email address. Thus whilst MS's approach is a good first step in that it implements some generic/global password checks, what is actually needed is a much finer grained approach where the checks extend firstly to the passwords that have been frequently found to be paired with a specific email address and secondly to the additional security questions. Perhaps this is something that can be added into password safes, given they have access to (legally obtained) plain text credentials and so can statistically determine firstly whether someone's reuse of the same password has reached a critical point and secondly whether a particular password/credential set has been compromised and so which other credential sets the user should be looking to change.
[Aside: I am wary of recommending using a random password generator, as recent revelations have shown that these may contain vulnerabilities that facilitate the guessing and hence cracking of generated passwords.