Most attacks on passwords these days are credential stuffing, not brute force.
This means that password rules REDUCE the amount of work an attacker has to do, as they can omit previously breached usernames/passwords which don't meet the password rules for the site being attacked. This means they can try more logins before getting rate-limited.
This means that password rules REDUCE the amount of work an attacker has to do, as they can omit previously breached usernames/passwords which don't meet the password rules for the site being attacked. This means they can try more logins before getting rate-limited.