Re: It's not just about websites though is it?
Just to add a wrinkle: I work in a country where my keyboard in a workplace can be US, UK, German, Swiss German, French or even something else. So, using even letters of the alphabet can cause problems as these move around the keyboard (I touch type and am reasonably multi-lingual in this respect).
So, one learns, the hard way, to not use those characters that may be absent on some keyboards or move about (e.g. Z and Y). Combine this with the above mentioned idiocy of enforced, frequent password changes with differing validity periods, numbers of retries, rules (sometimes clashing, such as minimum and maximum lengths): fine way to keep more and more low level admins. employed.
In the end, security is degraded severely as unhappy and alienated users find it almost impossible to remember which password for which system is current and so stay logged in for as long as possible to avoid having to reenter the string, or avoid using the system as long as possible or write down the numbers, with any luck in their mobile telephones or in a file under a login they really do use and know well.
I tend to put important ones in my mobile (according to the manufacturer, encrypted - I have the most complex password for that) and, because a mobile can get lost, forgotten or run out of battery, in a simple, text file, encrypted using gpg (using another odd password). It does not protect me against mistypes because I forgot I had changed it or which keyboard I am on or just was not fully awake. But it is the best that I could do so far.
Then, some systems seem to be so complex or perhaps the network is so bad, that the change does not actually go through or causes a lock at once. Some even warn you that the relevant server is so far away across some international firm's network that it will not be active for 24 hours (really) and the LDAP server is down and .... Or you must restart your PC to flush all caches ….
Then, the reminder email tells you that you must change the password within ten days. Oh dear, it arrived the day after you left for a fortnight's holiday, following the firm's rules that you must take at least a fortnight's holiday in one lump every year. What fun trying to log back in when you return (you know where the helpline number is or you must use email, it's listed in the internal website - oh you can not log in and you came in early and nobody else is here for two hours yet).
Moral: over-prescription and micro-control are not better than simplicity, education and adjustment to real human - computer interaction.