That’s one way it is weaker, but moreso because it reduces the entropy. If a user can provide a password which uses 26 letters, upper and lowercase, 10 numbers, and an unrestricted set of symbols, but for the sake of argument we’ll say 10, then there are a lot of possible combinations. If you are limited to only 12 possible at max, it is 46^12. Now you impose an artificial requirement that it is one of each, then it actually weakens that further by making the hacker know that there is one of each in there so it is 26+26+10+10+46^8. Or roughly 910^19 vs. 210^13. I personally try to use passwords which are between 16-20 characters long, or roughly 2*10^33. By restricting the total number of characters and forcing specific combinations, then the password is significantly less cryptographically sound.
Using this calculator, https://bitwarden.com/password-strength/, it is a difference of 3 hours vs. centuries using the bank’s mandate vs. only lowercase and 20 characters.
That’s one way it is weaker, but moreso because it reduces the entropy. If a user can provide a password which uses 26 letters, upper and lowercase, 10 numbers, and an unrestricted set of symbols, but for the sake of argument we’ll say 10, then there are a lot of possible combinations. If you are limited to only 12 possible at max, it is 46^12. Now you impose an artificial requirement that it is one of each, then it actually weakens that further by making the hacker know that there is one of each in there so it is 26+26+10+10+46^8. Or roughly 910^19 vs. 210^13. I personally try to use passwords which are between 16-20 characters long, or roughly 2*10^33. By restricting the total number of characters and forcing specific combinations, then the password is significantly less cryptographically sound.
Using this calculator, https://bitwarden.com/password-strength/, it is a difference of 3 hours vs. centuries using the bank’s mandate vs. only lowercase and 20 characters.