Enforcing a password policy is bad
As admins looking after our flocks of users, we like to enforce good password strength so no super computer can crack your hashed password within a couple of minutes. You want it so that your password strength to be at around 87+ million years for a desktop PC to crack your users password. The problem is with requiring a "strong" password requires at least a capital letter, a number, a symbol, and be at least 10 characters long. The issue that I see often is that people often repeat password such as 1234!1234!1234! or something like Some_awesome_Password1. These are pretty predictable, in terms of how a brute force attack works (which I am assuming you know how it works). What we really need is education in the area of the areas of passwords and we need to enforce 2-factor policy on whatever application we can. I honestly think 2-factor authentication is the way to go, until we can all have finger vein authentication (which would be pretty sweet). Until such times, we have to use password managers and 2-factor authentication. Really though companies, please try and make users use 2-factor authentication. If you haven't developed it yet, shame on you!