Pretty sure he got downvoted because of this canard:
>If you don't you end up with bad passwords.
This is a terrible fallacy that has brought so much pain on the world. The rate of bad passwords is probably not so different, but the rate of frustration is so much higher.
Were these regulations created at a time when brute force password cracking was a legitimate concern?
Password policies do definitely raise the entropy of the passwords, so if the attack vector you're concerned about is entropy sensitive, its a decent strategy.
As someone who has had to enforce such password policies many times, I can say that it's almost always because of some regulatory or certification organization that requires complex policies.
>If you don't you end up with bad passwords.
This is a terrible fallacy that has brought so much pain on the world. The rate of bad passwords is probably not so different, but the rate of frustration is so much higher.