(1) How will you handle a situation in which a user with an 8- or 9-character password is given advanced rights? We can't risk someone being locked out of an account because a change in user rights makes their current password invalid. I hope the answer is that they'll be prompted to change the password immediately.
(2) What is a character? Is it ASCII characters, or Unicode, or Latin script, or something else? If it's eight or ten graphemes, this may pose problems for Chinese users in particular, given the nature of the language's writing system; that's analogous to requiring anglophones to remember a password of eight or ten words.