I had a go a few years ago. Any new password was first run through this:
https://www.systutorials.com/docs/linux/man/1-pwqcheck/
which recognises that a long password of only two character types is as strong as a short password of four character types. (I didn't use the defaults, FWIW).
After that I ran it through a dictionary checker against a common password list, and a standard word list. If the last (up to) four characters were digits they were stripped before this test. And leet-speak variations were also tested, e.g p455w0rd would fail.
And people *still* managed to come up with piss-poor passwords.
I would like to have gone full john the ripper on it but I wasn't going to be able to sell that one to the customer.
Biting the hand that feeds IT
