Not *very* sensible. After all, if somebody with an eight-character surname has their surname appear in their password… but their password is 20 characters long, they’re still okay.

The correct answer would be to reduce the perceived length of the password by the length of the included name. So Mr. Thompson tries to set his password to “123thompsonabc”, his password is validated as “123abc” (his name is removed). This is too short, and therefore fails. But if he tried “123swothompsonrdfish!”, this would reduce to “123swordfish!”, which is sufficiently complex.

“DaNiSH-P4stR135-R-mai-4av0rit-tr33t” would be a perfectly secure (if stupid) password, but would be rejected for somebody called “Dan”. But not if they first changed their name to “Daniel”, and then changed it back afterwards. Their system, while well-meaning, sucks.