[Sammi]

Yes good points.

I have to argue the second part of this though

> minimum 12 char + uppercase/lowercase + number

The first minimum char counts rule is great. You increase the entropy exponentially with every added char.

But the second part when you make rules about each individual char, then you are actually decreasing entropy. The space of possibilities actually shrinks every time a rule defines what a char must or mustn't be. An attacker now knows that certain things are guaranteed, and can tune their brute force algorithm to expect a big ascii letter, a large ascii letter, a latin number, an ascii special char. They now have a much smaller search space than before, when each char could be any utf8 char. You're basically leaking exploitable information about the password by having character rules.

[dahart]

The alternative in practice is not all utf8 characters, the alternative is lowercase letters. If there are no rules that require uppercase and alphanumerics, or length, then many people will use passwords that are easy to type, and short, and not impose security difficulties on themselves. The alphanumerics + case rule is addressing human behavior, and effectively does increase the search space (by a lot) for most people, not decrease it. It would be nice if most password entries could detect other utf8 chars and allow them to substitute for cased alphanumerics, or if longer passwords could relax the rules. The point is to meet a threshold of security against attackers, and the blanket rule does that but ignores some viable and convenient alternatives.

[cocoto]

You also decrease entropy by having a minimum length rule. The point of these rules is only to forbid weak passwords.