The complexity requirements pretty quickly become unreasonable, to the point that I would have realized they weren’t serious after like the 2nd try.
To be really evil, Troy should play with the password field- make it not a text or password field, but rather some sort of custom input field that doesn’t work with password managers and doesn’t allow paste.
Also maybe return errors sometimes that are themselves erroneous.
A better idea would be to use custom inputs that produce "typos" that the user didn't make. E.g. you have a "zip/postal" code field and your input sneakily swaps 2 neighbouring characters at some point, resulting in error "this zip code doesn't exist". Or change 8 to 9 etc.
Or you could make a "check your input one more time before confirming" step and display typos in e.g. names/emails there.
To be really evil, Troy should play with the password field- make it not a text or password field, but rather some sort of custom input field that doesn’t work with password managers and doesn’t allow paste.
Also maybe return errors sometimes that are themselves erroneous.