One system I use just changed their password policy. Previously, the only requirement was 6 digits. (e.g. 123456, 111111)
Now it's 8 digit, with no bigger then 3 digit sequence, and no pattern such as abab anywhere.
No clear rules but the following are invalid:
Any way to calculate the difference in randomness? mainly, is the set now bigger or smaller?
On
In the absence of clear rules, it's hard to count the number of allowed passwords. But I don't think that's the point. An attacker wouldn't have to try all possible passwords: they would try ones that people are likely to choose because they're easy to remember. If passwords such as $123456$ are allowed, some people will use them, and the attacker will take advantage of that. With the new rules, people will have to be more creative in choosing an easy-to-remember password. Maybe the first 8 digits of their favourite pizza restaurant's phone number -- oh wait, the attacker knows that too...
On
Six digits gives $10^6$ possibilities, and $\log_2(10^6)\approx 20$ so the old way is about $20$ bits. Eight digits gives $10^8$ possibilities, which is about $26.6$ bits. The restrictions don't hurt too much. A rough approximation would be to say the three successive digit rule removes $\frac1{1000}$ after the second digit and the three repeated digit rule the same. So you only lose $\frac{12}{1000}$ of your passwords. The repeated pairs is even less. Practically, if you were brute forcing, you would probably ignore the restrictions and try them all as it would be so much easier to program.