Why would anybody do this?
Especially the last point
aaaaaab is already a lot more secure then 1234 but who cares, right?

This isn't that bad, I've had requirements that had a max length limit of 10 characters.

I don't own an Xbox myself but I think a friend couldn't enter his MS password on there because it was to long.

The most secure passwords are the ones without restrictions..

@jamesharrington unless your user is stupid and just enters no password

The best restriction to have in your password requirements is to have at least one emoji

Length adds more entropy than anything else.
Basically every other complexity requirement is just stupid.

my uni password must NOT be longer than 8 characters ... don't see the reason behind that 😌

We use this in or project: https://github.com/dropbox/zxcvbn

It uses a minimum entropy ("quality") of the password and checks it against a dictionary of the most common passwords, to prevent your users from using "qwerty".
No "your password needs at least 3 special characters and the last name of a Michelin-awarded chef", but "your password is insecure".

Most importantly, TELL the user if the password he wants to set satisfies your constraints. Nothing is more frustrating than playing the guessing game.