About "10. If the user guesses an invalid password, say why it’s invalid", it's terrible from a security perspective.
If the password is wrong, it is wrong. A potential attacker must have no clue of what he guessed.
I think the intention is to impose the same restrictions on the "login" password field as on the "sign in" password field. This gives a hint to users as to why their entered password is incorrect, and does not slow down an attacker. This is particularly important for systems with unusually restrictive password fields.
If someone is going to naively brute-force your login screen, it's safe to assume they're going to look at the sign-up password requirements anyway. Nobody is just going to throw the whole unicode character set at your password field and go from 1 to infinity characters in order to guess your passwords.
More likely a hashed table gets leaked and they just compare it with existing rainbow tables. Password hints do nothing to protect against that, while inconveniencing your real users.
For a real user trying to guess their password, providing hints (that already match your signup rules) might take them down from 10 wrong guesses to 2 or 3, a huge improvement. For brute-forcing bots, it might take them from 5 years to 4.5 years per password. So what?
If it's another human trying to guess someone's password, again, the requirements are already there in the sign up screen. Also, it's probably easier just to spearphish them with a fake email or try to answer their (not-so) secret questions based on public records and whatnot.
