They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like “can’t use the same character twice in a row” constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.
at what point do password requirements start making password easier to crack?
They already do. If I know a number is required, I don’t have to try any passwords that don’t have a number.
They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like “can’t use the same character twice in a row” constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.