I recently signed up on the ANSI Web site to download a document on cyber risk calculation and they had a minimum 10 character password requirement –  they also share your personal data (all demographics are required fields by the way) with third parties – at least they have an opt-out check box on the registration form.
The ANSI Web security policy is misguided: They’re collecting too much personal data, but requiring strong passwords that cannot mitigate the risk of sharing personal information with third parties. Once personal data is stored on a third-party server, ANSI cannot guarantee privacy according to their privacy statement.