Totally agree.
At least 1 Uppercase means 99% of people just use an uppercase first character for their standard password. 1 number means they append 1,2 or a year and 1 special character means they append an exclamation mark. Entropy added = 0 (if password rules are known to the attacker). I don't get how anyone who cared the slightest about security would think otherwise and enforces these stupid rules.
I think a lot of it is driven by management. I've had to talk management out of it before. Then they still "don't get it" and think I'm OK with an "easier to hack" website, holding it against me as a character flaw - as if I'm a bad engineer who doesn't believe in diligence.
Anyway, that's probably where they come from - implemented by more obedient employees.
