atoponce, I've been screaming this for years. Service providers that provide authentication should do these two things at a minimum:
- Require at least 12 characters.
- Use ZXCVBN to estimate password strength and require a score of 4.
Interestingly enough, if you do those two things, you don't need stupid password complexity requirements, and you don't need a blacklist, as 12+ characters with a ZXCVBN score of 4 won't show up in password database breaches.