Is there precedent that shows that adding restrictions to passwords is dangerous? For example, I use a multi word password for most things, and sometimes it makes me add uppercase or numbers. The average persons password transform just based on that information is probably vulnerable to a sophisticated attack. If I knew a certain site required a certain schema, I could more accurately guess how a user would change their password based on those requirements.