If someone is going to naively brute-force your login screen, it's safe to assume they're going to look at the sign-up password requirements anyway. Nobody is just going to throw the whole unicode character set at your password field and go from 1 to infinity characters in order to guess your passwords.
More likely a hashed table gets leaked and they just compare it with existing rainbow tables. Password hints do nothing to protect against that, while inconveniencing your real users.
For a real user trying to guess their password, providing hints (that already match your signup rules) might take them down from 10 wrong guesses to 2 or 3, a huge improvement. For brute-forcing bots, it might take them from 5 years to 4.5 years per password. So what?
If it's another human trying to guess someone's password, again, the requirements are already there in the sign up screen. Also, it's probably easier just to spearphish them with a fake email or try to answer their (not-so) secret questions based on public records and whatnot.
More likely a hashed table gets leaked and they just compare it with existing rainbow tables. Password hints do nothing to protect against that, while inconveniencing your real users.
For a real user trying to guess their password, providing hints (that already match your signup rules) might take them down from 10 wrong guesses to 2 or 3, a huge improvement. For brute-forcing bots, it might take them from 5 years to 4.5 years per password. So what?
If it's another human trying to guess someone's password, again, the requirements are already there in the sign up screen. Also, it's probably easier just to spearphish them with a fake email or try to answer their (not-so) secret questions based on public records and whatnot.