I think AB means that the complexity of the Admin password can be analysed when remote connections are made, and if they don't pass some requirement, then <do something>. I haven't thought it through fully either, and tbh I don't think we need to enforce complexity either. Would it not be sufficient to ask for confirmation when the admin password is entered:
e.g. Enter password: a That password is not complex enough and could fall to a brute-force attack. You need len=8, uppercase, lowercase, numeric, and a non-alphanumeric. Do you want to try again ([Y]/n)? Enter password: abc That password is not complex enough and could fall to a brute-force attack. You need len=8, uppercase, lowercase, numeric, and a non-alphanumeric. Do you want to try again ([Y]/n)? Enter password: 12345 That password is not complex enough and could fall to a brute-force attack. You need len=8, uppercase, lowercase, numeric, and a non-alphanumeric. Do you want to try again ([Y]/n)? Enter password: @MyPassword123 Password is sufficiently complex for remote connections. If the user selects "no", the not-complex-enough password still gets used, which is the current behaviour. How say you?
