Testers wanted to know the minimum requirements for passwords. If the user's password is too weak, explain why.

We could solve this by showing "password is too short" if it's below a minimum length, "password is too common" if it's on a blacklist of common passwords, or "password is too simple" if it's neither too short nor too common but the strength estimate is low due to insufficient variety of characters.