So, ok, over the years, various online services - whether it be the log-ins for bank accounts, institutions, and so forth, have kept making the minimum password requirements ever longer and more complex. 7 characters? Too short. A whole damn sentence but only lower case letters? Too simple. Etc.
As far as I understand, this is a total and complete waste of time. It does not improve security at all. Note this thread is in general questions because I don't feel this is an opinion, it's a mathematical fact.
Take a 5 character password that is just lower case letters. Hugely "insecure" and almost no website or bank will let you use it now.
So, there are 5^26 possibilities, or 1.4 * 10^18. Now, the *only* risk here is (1) whoever is trying to "crack in" can see the hash of that password, but they need to guess the password itself, or (2), they can guess an unlimited number of times at some ridiculous number of guesses per second.
For an online service done competently, neither should be true. The password hash file should be as well protected as the data the password protects (aka, if hackers can access the file that has the password hash, they can steal everything else anyway), and there should be a limited number of guesses allowed per unit time. A simple solution to limit guesses is, say, after 10 password attempts, you add a timeout that doubles for every subsequent attempt. Nothing onerous. This means that a cracker can maybe try 100 passwords in a 24 hours period -> they will never break in if there are 10^18 possibilities.
So it’s all smoke and mirrors and a waste of everyone’s time. Crackers don’t guess passwords, they get them reset by social engineering or they just steal the actual password, no matter how complex or long it is, from the computer the user typed the password in at. (keystroke logging hardware or software)
The only check that should be performed is if a password is on the list of the 1000 or 10k most common passwords. If it is, bzzt, try again. Other than that, anything should work.