The most recent National Institute of Standards and Technology (NIST) guidelines have been updated for passwords in section 800-63B. The document no longer recommends combinations of capital letters, lower case letters, numbers and special characters. Yet most companies and systems still mandate these complexity requirements for passwords. What gives?
There’s a bit of an arms race between NIST and compliance regulations. SOX, SOC2, PCI, etc, all have some password complexity commentary. These have been influenced by NIST in the past, and systems have been updated to require combinations of letters, numbers and symbols so that companies who need to attain these compliance certifications can require their users to implement them.
On top of regulations, there are the technical system requirements for passwords. Some have password encryption but no enforcement of character complexity. Some have fine tuning so that the administrator can identify exactly what special characters / letter cases / number combinations are required. And still others were created in the days when storage was at a premium, leading them to still only use the first 8 characters of what you type in as your password anyway. It all depends on what the leading school of thought was when the tool was created and to what compliance regulations the tool manufacturer thought might be needed.