Add some constraints on password
I think Jeff Atwood has a good analysis about password rules [1].
And I think he is right about adding length rule.
About the common password check, it can be difficult to define what are the common password. But we could allow to configure a list of such password in a plain text file and load it into a set in memory.
For the entropy, we could simply check that len(set(password))/len(password) > <ratio from configuration>. I guess 0.75 is already a good one.
And we can forbid password equals to login, name, email and "tryton".
[1] https://blog.codinghorror.com/password-rules-are-bullshit/