Please do not enforce character set or maximum length restrictions. I have a number of 30+ -character passwords that are regularly rejected because they don't contain a digit. I'm sorry but "Password1" isn't going to be stronger than that.

Also, consider enforcing higher minimums. Eight characters is simply too fast to brute-force.