You probably heard about the password policy "industry standard"; 8 characters minimum, complexity rules and expiration after 90 days. But is this good enough?...