Security by Post-It
Perl, 203 194 189 193 chars
Here's my Perl take on the problem:
print"Username: ";chop($u=<>);$n=reverse$u;print"Password: ";$_=<>;
say/^\pL.{7,11}$/*/\d/*/[A-Z]/*9>y/A-Z//&y/a-z//<9*/[a-z]/*
!/[" #,;->^&[|)]|(.)(.*\1.*\1|\1.*(.)\3)|\Q$u\E|\Q$n/?"OK.":"Nope."
The regexes check, in order, that the password:
starts with a letter, has eight to twelve characters
contains a digit
contains an uppercase letter
has eight or fewer uppercase letters
has eight or fewer lowercase letters
contains a lowercase letter
does not contain any of the forbidden punctuation marks, three occurrences of any character, more than one occurrence of a doubled character, the username, or the username reversed.
(Thanks to Peter Taylor for pointing out a bug in the 189-char version.)
Ruby, 270 characters
$><<"Username: ";u=gets.chop
$><<"Password: ";gets
puts ('^.{8,12}$+\p{Lower}+\p{Upper}+^(\p{Alpha}.*){2}+\d+(\p{Lower}.*){9}+(\p{Upper}.*){9}+(.)\1.*(.)\2+(.).*\1.*\1+[ ^=&#,;"<>\[|)]+'+u+?++u.reverse).split(?+).map{|r|/#{r}/=~$_??A:?B}*""=="AAAAABBBBBBB"?"OK.":"Nope."
A ruby implementation build on twelve regular expressions. Each expression is either a positive match (first five) or a negative one (latter seven). As a restriction the username may only contain letters or digits.
Positive regular expression matches:
/^.{8,12}$/
: have at least 8 character(s)!, not be longer than 12 characters!/\p{Lower}/
and/\p{Upper}/
: have upper and lower case characters!/^(\p{Alpha}.*){2}/
: have at least 2 letter(s)!, have a leading letter!/\d/
: have at least 1 digit(s)!
Negative regular expression matches:
/(\p{Lower}.*){9}/
: have no more than 8 lower-case letter(s)!/(\p{Upper}.*){9}/
: have no more than 8 upper-case letter(s)!/(.)\1.*(.)\2/
: have no more than 1 pair(s) of repeating characters!/(.).*\1.*\1/
: not have 3 occurences of the same character!/[ ^=&#,;"<>\[|)]/
: not contain caret, space, =, &, #, ,, ;, ", >, <, [, |, )/#{u}/
: not be your username!, not contain your username!/#{u.reverse}/
: not be your username backwards!, not contain your username backwards!