[dredmorbius]

Look for example at password rules.

Rules restricting the range of passwords that may be used in an arbitrary fashion can markedly decrease the search space for an attacker.

A strict rule count by itself is neither good nor bad. Well, arguably, it's bad, as it increases system complexity, side effects, loopholes, and trains users to thwart restrictions. Ideally you want a small number of sane rules (mostly based on role and access), tightly implemented, with strong auditability.

Going back to passwords: the simple check of denying the use of any known password (there are collections of millions now from various site compromises) would be an audit check, not strictly a rule, though it might result in a rule of "known passwords will be denied".