The most frustrating part of the "your password must be min. 8 characters long and include a number and a special character" thing is that it does not improve security.

On the contrary.

I wonder how many people in the company have the name of the city they are located in, and the current year in their password...

#newyork18 #beijing2017

A worse measure is to enforce limits on the length of the password, a bank in Mexico for example encrypts account information sent via email with the account password, BUT the bank's policies state that password must not be larger than 8 characters long and CAN'T include special characters.

Just imagine how much time would it take a brute force attack that password...

And Mexican banks just got hacked, go figure 😂

It improves security a little, by protecting from a bruteforce, at least a little. Dictionary protection just requires some teaching of security principals to people...

Worst thing, a company I worked with had a 3 months validity policy on passwords.

Let's be sure that no one will use an actual complex password / passphrase if they have to memorize a new one every three months.

Pretty sure most people are gonna make it {password}1, {password}2, etc...