When you create a password, it’s often recommended to use a variety of character mixed with numbers, special characters, upper and lower case, etc. because all these things create a higher level of diversity and thereby the number of combinations required to brute-force determine your password.
Not only is it often suggested, though, it’s often demanded. Guess what, as soon as you make those things mandatory, you’ve just made everyone’s passwords weaker.
When you add parameters of what a password must be, such as limiting the length to a specific number, requiring a certain special character or characters and require upper and lower case, those are all guaranteed to be in the password now, significantly limiting the combinations required, which was the entire point of enforcing it from the start.
Every requisite is essentially a hint. Take a look at this Government of Canada registration form:
Just from this, you know that for any given password you know the approximate length, the variety and even the set of available special characters from which to select.
As an example of the issue, let’s use a 4-digit pin number. Let’s say our pin number is 1862
There are 10,000 combinations. Meaning there’s a 1/10000 chance of randomly guessing the number.
Lets add a restriction now: each number must be different so predictable options such as 9999 are weeded out. Well then, we now have only 5,040 combinations.
Hey, we don’t want pin numbers like 1234 so let’s not allow 3 consecutive numbers either. Well, we’re down to 4,410 combinations.
We also want to make the numbers varied, so let’s require at least one digit to be between 0-2 and another to be between 7-9. That brings us down under 1,000 combinations.
All in all, our limitations have weakened the pin number 1862, which fits all requirements, by more than 10-fold. At the cost of eliminating weaker passwords, we’ve weakened all passwords.