The worst rule that I have seen was that you can't have the same character next to each other.

So "Pasword1234#" was "strong" password, but "ha_ivrkbs(i5HzJzee%Ii3jsk#7jaot" was considered weak - note "ee" in the middle of string.

A bank I used in the past does that AND also does not allow you to set consecutive numbers that increase or decrease, e.g. 12, 34, 87, etc.

No idea how maby bits of entropy it removes but it's absurd.

I recently had to (for work) create an account on website with a password “strength” indicator and the following limitations:

- At least one upper case

- At least one lower case

- At least one number, but not as the first character and no two numbers in a row

- No special characters

- Maximum characters: 8

There was a minimum too but I can’t recall what it was. Hopefully 7 for maximum security.

My randomly generated password from my password manager got a “medium” on their strength scale.

I recently had to create accounts for work benefits at TWO different sites that had user name complexity requirements, and actually rated the strength of my user name! That's something I had never seen before, and it seems pretty misguided.

The worst of these also had a 20 character password limit (at least it wasn't 8!), along with several of these nonsense requirements that limit repeated characters. I couldn't manage to generate a password they would accept. Eventually I realized that not only did they allow only certain specific special characters, but their password length validation was wrong and would only accept 19 characters because they were testing for <= 20.