The problem is that if you don't enforce users to use capital letters, numbers and punctuation, they will use just lowercase chars, for lazyness.
Thus, if a hacker brute-forces with lowercase chars, he will be successful on most users.
Actually, brute force attacks works very well with dictionaries, so the real benefit would be not allowing common words, instead of enforcing capitals or numbers.
I have experience of this because I did security audits on unix machines back in the nineties: you could easily find most passwords by using a dictionary + some numbers and mixed caps.
I don't agree with the enforce of punctuation and uppercase for two reasons:
1) most (new) keyboard don't have the CAPS LIGHT, so you don't know if you are in uppercase or not, you have no idea how many customers bitches about the uppercase thing with the wireless keyboards, because they type it wrong several times and the passwords gets disabled, all because those keyboards don't have the caps light.
2) punctuation: about 70% of every computer i work on, have the keyboard language mapping wrong, so punctuation are everywhere except where you expect it, so, it is impossible (unless you remember the position of the punctuation keys) to type a password like that if you can't see what are you typing because the mapping does not match the real keyboard.
I think is better to use only lowercase letters and numbers, and a dictionary check, if the password is found in the dictionary, it will force you to choose another one.
agreed, i'm about to sign up to hashcows for testing and these password requirements are cumbersome
about 85% of the computers i use are 23 year old radio shack types and a variety of letters can be quite sticky
i say make required passwords be a 3 digit pin (no duplicate digits! i might hit the key twice on accident!) and leave it at that