My point is that when I audit passwords, frequently I've seen that users are sitting at their keyboards trying to devise a new password and then they use some stream of consciousness selection like "coffee" or "yankees" but since "coffee" itself won't work they'll add digits to get to get to the minimum. At that point they realize they have to add a special character, so they tack on an exclamation point or a dollar sign just to get it done. I see it all the time.
So, if a hacker knows that twelve characters with numbers and specials are required they can set their algorithms accordingly.
This is also the reason why I want to see better security tools. We all get SMTP abuse attempts which block an IP for some defined period of time. I'd like to get a report if a particular account is the repeated target of an attack. So, after so many separate and subsequent attacks either there is a special notification or the temp IP ban gets converted to a permanent ban, along with a special notification.
Tools and reports like this might have saved Jon Podesta some embarrassment?