Denying passwords would just lead to adding 1 to the end and calling it a day. We shouldn't really put any limitations on passwords users use.