[rphlx]

A decent fraction of the population views password restrictions as a challenge to come up with the shittiest, least secure password that they possibly can while still meeting all restrictions. You can blame users for that with some justice, but as a system designer, it's still your responsibility provide security despite shitty but reasonably likely human behavior.

With modern crypto there are very few systems where it's appropriate to have a user-selected <=12 character password for primary auth, yet unfortunately that continues to be widespread for banks, ecommerce, and (probably) some military systems. High-end security people seem to almost universally hate short user-selected passwords (except when they have to break them..) but old practices die hard and old systems take a long time to be replaced.