They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like “can’t use the same character twice in a row” constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.
at what point do password requirements start making password easier to crack?
They invariably do. They always constrain the list of things that a fully random generator could possibly make. They never add to that list.
Even rules like “can’t use the same character twice in a row” constrain the list at least a little. That one makes it harder for dumb people to do dumb things, but also makes it harder for smart people to do smart things.