Within interest, I have read The Register's (link) article about Virgin Media's password policy for emails.  The reason I am interested in this, is because several years ago I recall thinking how weak and pitiful this policy is.

1. The minimum password length needs to be increased to at least 16.
2. Allow the use of symbols and/or special characters in passwords.
3. Consider giving users the option to enable 2FA.  Admittedly I don't think this is something I wouldn't use, as my email program checks for new emails every 10 minutes.  But for web logins, it should be considered in this day and age.

I see that SIX years ago somebody else raised the same concerns, only to be dismissed by several members.  But the fact is, these current password policies simply are not strong enough and people are beginning to realise this.