There's many variations of this:
- Must contain number
- Must contain special character
- Must contain upper/lowercase letter....
I guess there's scope for password with repeated characters. "Password must be 10 characters; oh look, aaaaaaaaaa works" too
https://en.wikipedia.org/wiki/Password_policy#Password_length_and_formation