Will need some policy updates, probably...
ASVS v4.0.2-2.1.1 requires doing this as a "best practice" - https://github.com/OWASP/ASVS/blob/v4.0.2/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.pdf
Verify that user set passwords are at least 12 characters in length
MW/WMF are using 8/10 in various places