The security of a password is measured by how many guesses a hacker would have to make before they find your password. The more possible passwords you *could* have chosen, the more they have to guess.

If your password has to have an uppercase character in it somewhere, that increases the security. You have five characters, so if you randomly choose one to make uppercase, that’s five times as many passwords the adversary has to go through. Even more so with numbers.

All that said, this is a terrible password requirement. Making you use one uppercase letter and number can increase the number of possible passwords a bit – maybe 10-100 times if you’re good at choosing randomly. Adding two characters to the end of your password multiplies the number of possible passwords by many hundreds. In fact, more recent guidelines from NIST have advised companies to drop the requirements for uppercase letters or numbers, and instead just have a minimum length requirement.

There’s also a usability side. It’s much easier to remember two extra characters than to remember which characters you made uppercase, and which ones you turn into numbers. [This xkcd](https://xkcd.com/936/) was somewhat influential in popularizing this point, and it provides a very secure and memorable way to generate good passwords. Of course, the most secure way is to use a password manager, which can generate passwords that are so secure it would take millions of years to guess them correctly.