Yeah I understand. I think my point is don’t add any other friction to the password strength other than length. If you want more security increase the min length, if you’re happy with less, lower it.

I’d personally have a 12 length password enforcement, a password strength meter and nothing else. Possibly less if you introduce 2fa.

Yea, that's what I gathered as well. So what do you think about checking against compromised passwords?