Ignorance and stupidity. Here’s the UK [cyber security centre’s recommendations](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach). You’ll see they explicitly recommend against complexity requirements. It’s counterproductive.

> you should specify a minimum password length, to prevent very short passwords from being used. Avoid using any maximum length requirements that a user might try to exceed, as they will make it harder for users to choose a suitable password that fits the length criteria

Ignorance and stupidity. Here’s the UK [cyber security centre’s recommendations](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach). You’ll see they explicitly recommend against complexity requirements. It’s counterproductive.

> you should specify a minimum password length, to prevent very short passwords from being used. Avoid using any maximum length requirements that a user might try to exceed, as they will make it harder for users to choose a suitable password that fits the length criteria