I assume your starting password rules deliberately set the bar low to encourage PRs to improve it, since I can think of much more believable, infuriating, tedious ways to drag this out longer, keeping the user thinking they're always one step away from a valid password without being obviously silly.

Believable, stupid requirements I've seen in the wild in the bad early days of complexity requirements.

- your password contains a common word

- your password contains one or more repeating characters

- your password contains a forbidden character

- your password needs at least one additional uppercase letter

- your password needs at least one more distinct special character

- your password cannot end with a special character

- your password contains an escalating series of numbers

- your password is too short

- your password is too long