What do people think about how robust the PCI password requirements are? The organization I work for follows them and implements an 8 character minimum with upper/lower/number and/or symbol. That requirement is for non-admin internal users. It does not, however, make any mention of commonly used dictionary words or personal information. I would think that even with digits and symbols, if you still compose your password largely with an actual word of some kind that that would leave you vulnerable to a dictionary or bicycle attack, no? Just curious, as the current policy seems like it could be more sound.