No, it's about being restrictive.
Originally Posted by DoubleDee
How does enforcing those arbitrary rules help security? What it does is (a) mean that people are less likely to be able to use their password of choice, which means that they are more likely to write it down somewhere or choose something really obvious, and (b) gives any hackerbots a good headstart on what format passwords can take.
I regularly get thoroughly P!5sed off (demonstrating how to meet 3 of the 4 requirements nicely!) by websites that have these arcane and self-defeating password requirements, which usually only serves to demonstrate that the creator knows a lot less about security than he thinks. At work we have to have at least three of a capital letter, a lower case letter, a number and a non-alphanumeric character – minimum 7 characters – change it every month (or is it two?) and you can't reuse any of your last twelve passwords. So inevitably someone with a rabbit called Bubbles goes for Bubbles1 then Bubbles2 then Bubbles3 ... which is so much less secure than if they were allowed to pick one password of whatever format they wanted and stick with it.
A blond/e (we're not sexist here, just hairist) called Sam is setting up his/her new computer account at work. The techie explains the requirements to Sam and goes back to his desk. A few minutes later, he gets a phonecall from Sam, who can't get his/her password to work. The techie is surprised, because he explained the fairly simple requirements very carefully. He clears Sam's details and asks him/her to type it in again while he is on the phone. He notices that there's a lot of typing before Sam comes back on and says "No, it's still not working". "Let me see if I can get it to work," says the techie, "What password were you trying to use?" Sam replies, "doc grumpy happy sleepy bashful sneezy dopey london. You told me it had to be seven characters and a capital, and those were the only ones I could think of that I would remember."