Right, you can't force people to use good passwords, but you can set up requirements that try to maximize the chances that that's what you get.
As others have mentioned, there's no way to fully evaluate password strength short of providing your own entropy, so while the distribution is an important one to know about there's not much we can do to apply it while retaining a traditional password model.
NIST has some recommendations[0] that can detect when a password is not strong, such as checking a list of cracked passwords, but we can't prove that it is.
As others have mentioned, there's no way to fully evaluate password strength short of providing your own entropy, so while the distribution is an important one to know about there's not much we can do to apply it while retaining a traditional password model.
NIST has some recommendations[0] that can detect when a password is not strong, such as checking a list of cracked passwords, but we can't prove that it is.
[0] https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret