Reject PCR's that have too long or duplicate passwords?

[moonpiedumplings]

I think that adding a check here, where the PCR logic happens should work.

It may make sense to have this be a configurable feature.

I have heard frustrations with some of the teams having strategies that gamify the competition, and setting 42 character passwords, or setting all users passwords to a single password. I think it would be easier to deny this behavior in the scoring engine, than having competition rules.