My belief is that the password restriction needs to be just enough so that the user does not write down the password. If you make it hard to remember and they write it down it can be found.