I don't know if your interests are at all similar to the scenario that started this old thread: Security: balancing two conflicting password policies -- but that was a very interesting thread, and you might find some useful stuff there.