All such rules make it easier to guess the passwords. One of our less enlightened IT security PHBs has actually made it into a rule that the passwords must be exactly 8 characters long, start with a [A-Z] and contain one \d. It is not entirely clear from his specs if we are allowed to have more than one \d. Oh yes, and no punctuation and such because that messes up with an application that remembers your passwords for you and enters them automatically.

I tried to explain that such moronic rules have reduced the searchspace for possible keys to about one tenth of what it would be without his clever rules and moreover still makes the passwords vulnerable to simple dictionary attacks since 99% of the users now have an easy to remember 7 character word + digit as their password.