Does having a minimum number of digits improve password security?

The security of the password is not really about what the users are allowed to choose, but what the users actually choose on average.

The attacker tries to guess the password that the user chose, and he will do so by trying most probable passwords first. "Most probable" here designates a kind of psychological study that the attacker performs; in plain words, this means that the attacker will try names of famous soccer/baseball/hockey players because many users, left to their own devices, use these names as password.

The ideal user selects his password totally at random, with uniform probability over the space of possible passwords (i.e. all passwords that can be typed in and that the machine will accept). Most users won't do that, though. Even if they can use digits in their passwords, they will prefer not to use digits, if given the choice; because users, like everybody else, try to maximize their own comfort and efficiency, so they want passwords which are easy to type and easy to remember. A full-alphabetic password is easier to remember than a mixed letters-numbers password, and also easier to type, especially on smartphones (e.g. the basic Android visual keyboard shows letters and numbers on separate screens).

A constraint on a minimal number of digits is an attempt at making the users more random: it prevents them from using full-alphabetic passwords, because, when technically allowed to do so, users turn out to rely on very low entropy passwords (the ones which are easy to guess). By enforcing the inclusion of some digits, a sysadmin can push the users (slightly) out of their comfort zone, and force them to choose a password where a simple soccer player name is not a valid password.

Done with moderation and taste, this increases security by making passwords, on average, less guessable. Don't put too much hope in it, though: many users will add "111" at the end of their password, and be done with it. The attacker knows that, too. Moreover, the more constraints you add, the more likely is the user to become an enemy. People don't like to be pushed out of their comfort zone. If you shove them too much, they will react quite creatively, for instance by writing done passwords on a piece of paper (hidden, as per immemorial Tradition, under the keyboard -- and the attacker knows that, of course). The users cannot really be blamed for that, but the net effect is that security can decrease when well-intentioned constraints are enforced.

On the topic of non-alphabetic characters in passwords, there is a famous XKCD comic. Do also read the follow-up thread on this site. Beware that some of the answers there miss the point; I especially recommend the answers by Thomas Pornin, AviD and Mike Hamburg.

)

That's only one side of the coin, however. Most users don't try for a hard-to-guess password, they prefer to stick to something memorable, like the name of their first child. Forcing them to have a digit does add a couple of bits of entropy: sure, a lot will append 1, but some will use their date of birth. Users who type on a mobile keyboard that requires a mode switch between letters and digits are especially likely to put the digit(s) at the end.

Requiring punctuation is more likely to add entropy, by the way. While a . at the end is an “obvious” punctuation character, some users will pick a two-word passphrase with a punctuation in between.

There is also a security theater aspect: if you document in your security policy that passwords must have a minimum of X characters including 1 digit and 1 uppercase letter, it looks like you're doing something to improve security. Even if there are far better methods with all-lowercase passwords.

You are right in that the goal of forcing users to have a number in a password increases the character set and therefore the cryptographic strength, same as enforcing capitals and special characters. I think enforcing 3 digits in a password is counter-productive as most users will simply tack 3 numbers onto the end of a password to keep things simple. If most passwords are passw123 or something567 it actually reduces the complexity by introducing a pattern.