Password critera should be validated as the user types, the user can currently pick a good strong (long) password,
spend effort to type it into both boxes, and then fail validation for not including mixed case.
This validaion should either happen live, or the page should include the password criteria.
