I'm finding that a bit of a leap. I don't see that requiring at least one A-Z and one 0-9 is the same as forbidding a-z. In and ideal world users could propose whatever they want for passwords and the code would tell them how long it would take a cracker to break it but that would require that code interact with a set of 'pwned' lists - and users would retry if they got something under 20 seconds, but users are often idiots (PEBKAK in IT-speak).