...
Passwords generated by actual users may not be as strong as randomly generated passwords. The problem is people can follow predictable patterns. For example, when users are asked to include capital letters in passwords they will often choose to capitalize the first letter of each word. When asked to include numbers or special characters in their password, they will often use 'Leet' substitutions, so 'password' becomes 'p4$$w0rd'. Hackers are familiar with these patterns, and can exploit them with modified dictionary attacks. Even though 'password' is eight characters it would be cracked on the second attempt of a dictionary attack since it is the second most common password ('123456' is number one).
See:
Jira Legacy server JIRA (sagebionetworks.jira.com) serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-3818 Jira Legacy server JIRA (sagebionetworks.jira.com) serverId ba6fb084-9827-3160-8067-8ac7470f78b2 key PLFM-3820