Why why why companies keep reinventing the wheel with the password fields? It is such a complex task that it is simply not worth it, you won’t get it right, unless you are Google and can afford a google engineer-hours. Please, don’t be stupid, just copy the approach adopted by the best.
Basic rule: don’t require stupid symbols, numbers, mixing lower and upper case, or any other crap you might want to require. The only thing you want to require is the password length. Requiring special characters do not provide much additional security, but make passwords hard to remember. Besides, it breaks users patterns, which leads to writing the passwords down in the most insecure way imaginable. Do not impose any additional restriction on the passwords. Limiting the password length at 12 symbols is stupid. Checking against 5 previously used passwords is stupid and insecure. Let user be in control. For maximum security use two-factor authorization with either SMS or code-generating app. Better still, use Facebook or Google based authorization.
War story #1. Baylor requires to change the password every 6 months. It says password can’t be the same as the last 5 passwords used. What does user do? It changes the password 5 times in a row, then changes it back to what it was before. Profit. Security — hardly. User—super annoyed.
War story #2. Fastrak (Bay Area express vehicle tag system) web site has the following password requirements:
password must be 8 to 12 characters and contain at least 1 uppercase letter, 1 lowercase letter and 1 number.
Fuck you, Fastrak!