In Atlassian crowd we can enforce password requirements via a password regex expression and an associated password complexity requirement message.
You can use this excellent regular expression generator/tester to test your expressions.
Here's another example that I've used. This one enforces 8 characters (can be any including special characters) but no whitespace characters
EXPLANATION: what this is syaing: the password must start with a non-whitespace character, then match on multiple non-whitespace characters, and finally the last 8 characters must also be non-whitespace characters.
The issue is that this message is not displayed in confluence (or JIRA I presume) when we enable functionality to set/change passwords via confluence. All that will show is some message about the password not being valid (which isn't much help). This is an interesting (and annoying) oversight.
Fortunately, we can overcome this oversight (somewhat) via CSS content insertion.
See below for something I cooked up to insert a password requirement message in confluence's user change password & new sign up screens. This should work in all modern browsers.
Simply add (and modify to suit) the following to confluence's global stylesheets (General configuration → Stylesheet):
What this does is show the following message on both the user change password screen and the new user signup sheets. This is what it looks like:
User change password screen with CSS content inserted message.
New user sign up screen with CSS content inserted message.