Generally accessibility is emphasized over security.  So the password policy is not highly restrictive.  The following are required

1. Passwords should have at least 8 characters with at least one uppercase, one lowercase and one numeric character.
2. After three unsuccessful tries the login will be locked and inaccessible for 10 minutes.
3. No password cycling (change) will be required, but users are encouranged to change their passwords every few months.