I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.

That depends on what the attacker is after. If finding the first password as quickly as possible, a dictionary attack against a list with no restrictions is the way to go. But more often these days, the attacker wants either one particular account, or all accounts. For one particular account, a dictionary attack is over and done with in seconds, after which it's back to brute forcing. For all accounts, you can do the same, but the yield is lower - getting a few percent of passwords early is not as time saving as making the search space a fraction of what it was.

The way good cracking apps work these days is that there's a generator that generate all possible passwords, using lemma frequency order from existing cracks to determine the order, and filtering out any passwords that fail the criteria for that site. Then the resulting passwords are distributed to multiple crackers.

The start of the brute force list can even be generated ahead of the actual cracking.

The filtering out part is important. It can easily reduce the amount of hashing needed by orders of magnitude(!). A crack that would take years can be done in weeks, because of an IT manager who came up with very complex password rules.

If really complex, it allows for rainbow tables for much longer character lengths than what would otherwise be feasible, and if a hash table has been obtained, that near instantly catches a *lot* more passwords than dictionary attacks do.

In effect, the IT manager gambles on the hashes never getting out, to gain a small advantage against a type of attack that never occurs these days - brute force against normal logins - for which there are far superior protection methods.

Chances are that he or she doesn't even know the real world effects, and believes that if it frustrates the employees, it will frustrate hackers even more. Not so.