True, but this bar for password complexity is very low, unless the platform is allowing very high numbers of failed login attempts. The attacker can only try a tiny number of possible passwords (hopefully only thousands per day or less), which even very weak passwords can defeat.