>>passwords must be at least 9 characters, contain upper and lower case characters, and at least one number and one non-alphanumeric character
> Yes, that's a good point. I personally cannot think, with the hindsight of experience, of a common scenario where those complexity rules would be helpful (save, perhaps, where it is known / required that the user have a password manager?)
The most common scenario is because some lowlife hacker has obtained a copy of your SAM/passwd/shadow files and is attempting to run a dictionary attack or rainbow table on it to steal authorised access. Those complexity rules increase the attack space significantly, and can easily be the difference between a hack in reasonable time, and a hack that fails because password expiry has made the attempt moot or the computational requirements are too great.
Adding capitals into a 1-9 character alpha-numeric password (no symbols) increases the search-space by an order of magnitude or two for NTLM hashes.
Longer passwords are actually much better at increasing complexity - thus a new trend of passwords being strings of unrelated words - "correcthorsebatterystaple" (https://xkcd.com/936/). Much harder for hackers to attack in reasonable time.