There are many things we take for granted in everyday life that are merely the result of historical circumstance, and not very rational when you look closer at them.
One of those things seems to be password policies. subreality posts an insightful ™ comment on Slashdot:
I think a lot of these stupid password policies were the result of Lanman and L0phtcrack.
First, there are two kinds of things that people call “passwords”. #1, a secret phrase that you tell to a remote system to authenticate yourself. #2, a key that has to be cryptographically secure against local attacks.
Traditional Windows NT domains essentially published a Lanman hash of everyone’s password. Lanman had a bizarrely bad hashing scheme: it null-pads your password to 14 characters, then splits it in half to two 7 character passwords. Thus, an attacker gets a local copy of your hash and only has to crack a 7 character long portion of it, which is exactly what L0phtcrack does. Decently good passwords get cracked within hours.
The band-aid attempt to secure this horrible situation was to try to make the most cryptographically secure 7 character password possible. That isn’t a lot of key data to work with so you basically have to have an absurdly line-noised password – and even then it could be cracked given enough time, so NT admins forced changing passwords frequently (which actually doesn’t help, since the attacker just picks up random-guessing on the new hashes as they come out – sooner or later they’ll find one).
So that got enshrined as what a “secure password policy” was supposed to be. Unfortunately, it was designed to protect against an absurdly-bad implementation of scenario #2, when for the most part, your password only needs to be secure in scenario #1, because the hash isn’t published and you can only make a half-dozen attempts to guess it before it gets locked out.