Scenario:
A user is logged in with a smart card (actually, a US government PIV card). We are concerned about the Ctrl-Alt-Del password change dialog where a PIN (password) can be changed. Our policies dictate the following requirements on the PIN:
1. Length 6 to 8 bytes.
2. Digits only.
3. Deny things like 0000000 or 11111111.
I believe this validation cannot be done in this dialog; that the complexity rules work with "real" passwords only. Please, correct me if I'm wrong. I'd like to hear any other solutions you may have.