I've frequently complained about stupid password policies and schemes, widely used by websites everywhere, including those of banks, financial institutions and tech companies (+Apple, I'm looking at you) that ought to know better.
Often, those policies will require that a password contain certain characters, for example at least one number, or at least one symbol. This is wrong-headed and of no real value. Here are two reasons why.
First, remembering passwords with cryptic symbols within them is hard for humans, although easy for machines. This results in the humans using the shortest legal password (in order to remember it more easily) or writing it down (so as to not forget it).
It also means that password generator and storage applications cannot be configured once for all of a user's passwords, because one website will have one stupid set of requirements and another will have another, incompatible with the first, stupid set of requirements.
The net result is generally less security. But this is just the social argument, so to speak. Let's get on to the hard math argument.
The second reason these all-too-common password schemes is because mathematically they're effectively useless. They were chosen because the people deciding on the password policy of requiring (not just allowing) numbers and symbols is because they are trying to increase the entropy, the randomness or lack of predictability, of the passwords.
However, there's a lot more to password strength than entropy. Entropy is about uncertainty -- which doesn't necessarily translate to more security. For example:
The entropy of "akj@!0aj" is 2.5, while the entropy of "password" is 2.75. (larger is better)
Most people can easily tell that using "password" as a password is a very bad idea. But the cryptic string "akj@!0aj" is actually worse on an entropy basis. If someone were trying to crack the above 2 passwords using randomly-generated brute force of trying combinations of valid characters, the "akj@!0aj" password has a larger chance of being found!
All too often, these same fools who impose such cryptic password policies upon users, at the same limit the length of acceptable passwords to 8 or 10 characters! In 2012, a 25-GPU computer demonstrated cracking every single 8 character password in about 6 hours. Such short length limits also preclude using truly secure passwords, such as a series of 5, 6, 7 or more short words randomly generated, as described Arnold Reinhold in his Diceware passphrase generator: http://world.std.com/~reinhold/diceware.html
I'd sleep a lot easier if mediocre password schemes started finding their way to the dust bin of history.