We already have NotCompromisedPassword.
For the other checks like having an upper case or lower case, that's a bad practice, so I would not it in core.

@fabpot as it's also mentioned as an item in #30914, would you be against core support for a constraint implementing e.g. https://github.com/bjeavons/zxcvbn-php (if it's installed)? (I don't have a strong opinion, but if the core team is, we should remove that item from the #30914 list as well)

@wouterj I'm totally fine with supporting any algo/libs that make a sensible evaluation of the password strength.

The core level support I suggested at #30914 was indeed intended to be part of the "User" convenience layer, providing a generic interface for people to implement their own checker, or easily plug in a library like zxcvbn.

If people want to implement something bad like upper/lower counting it's their own choice, we should just provide the extension point.