In writing the network security document, we had a section on password security, but it was rather basic.

passwords must be at least 8 characters
must contain 1 number
etc

Does anyone have (or might have seen) a document that defines what exactly a "good" password is? Maybe with some documentation of how long it takes to crack based on length or character set.