How is password policy applied
The policy is applied in all sections of the website where a new password can be entered. This includes various types of web parts that display forms on the live site, such as My account or the Registration form, and the administration interface (Administration -> Users). The requirements of the policy, except for the regular expression, are additionally observed when the system automatically generates new passwords. This is also the case if the Use password policy setting is disabled, so you can affect how passwords should be generated even if you do not wish to set a policy for your website's users.
When you introduce a password strength policy, existing users are by default allowed to keep their passwords unchanged. To force existing users to observe the policy, enable the Force password policy on logon setting. With this setting enabled, the system will check whether a user's password meets the policy requirements every time a user logs in. When the password doesn't meet the requirements, the user is presented with a form that allows to change the password.
Password strength indicator
When a user types in a password, it is validated in real time and its status is reflected by an indicator below the field. If a policy is set, passwords that do not fulfill the requirements will be rejected with the Not acceptable status.
Valid passwords will have a different status displayed according to their relative strength, which is calculated based on the recommended values for the total password length (12 by default) and number of non alphanumeric characters (2 by default). If a password policy is not enabled for the website, the current strength status of passwords will still be shown, but only as a recommendation and all passwords will be accepted.
To help users come up with an appropriate password, you can use the Policy violation message setting to specify a text message that will be displayed to users who attempt to enter a password that does not fulfill the requirements of the password policy. If left empty, a default message will be shown, informing about the minimum password length and number of non alphanumeric characters. If you wish to use a regular expression, it is recommended to describe its requirements in a custom message. If your site has multiple cultures (languages) assigned to it, you can enter a different message for each language via the Localize (