I would consider the following to be good interaction:
For a password like: Troubadour1&
"""
Your password failed a complexity check, estimated entropy: 17 bits, password
pattern detected: dictionary word with simple modifications (capitalise,
suffix-1, suffix-symbol). This system requires passwords with at least 20
bits
of entropy.
That ends up saying “too bad, try something else” like we already do, except there are
more scary words ☺ Showing the pattern that was detected does nothing to show _other_
patterns that will also not be allowed.
If nobody else is looking at your screen, you can use one of the
following
random passwords:
red mist
second wanted degree
however ready respect using
"""
Now this is an useful idea. We should have this. (The required never-ending
nowhere-leading discussion about what the recommendations should look like
notwithstanding.)
Mirek