Overdoing Security


I was registering for the FAA Medxpress program today. This program allows pilots to submit their flight physicals online. Once you've registered, the FAA requires that you change your password. Here's the requirements for the new password:

You have accessed the FAA MedXPress site using a temporary password. You must change your password in order to continue.

Passwords must contain between 8 and 12 characters and include at least three of the following four character groups: English upper case characters (A through Z); English lower case characters (a through z); Numerals (0 through 9); Non-alphabetic characters (such as !, $, #, %). Passwords are case sensitive.
From FAA MedXPress Change Password
Referenced Mon May 07 2007 15:14:16 GMT-0600 (MDT)

This seems a little heavy. To be sure, there's some very personal data stored on that form, but should I be allowed to know how secure I make it. I know...most people can't make that determination well. But Google and others seem to have hit on a strategy to rate a password and tell you how good a password you've chosen. I'm curious how often people change bad passwords based on that feedback.

The problem with overdoing it here is that I'm not able to choose a password I'll remember or even use the password generator bookmarklet. So, I'll write it down and that makes it less secure.