"some consumer-focused sites do get it right on password security"
And some, mentioning no names *cough* UPS *cough* require an upper case letter, a lower case letter, a number and a special character *and* require it must be between 8 and 15 characters.
Why the hell do they need a 15 character maximum? The days of limited storage space are long gone, so if I want to use a password of "Somewhereovertherainbowwayuphigh!1" why should I not be allowed to do so because they're using an obsolete password model?