1: All passwords must be longer than 10 characters.
This is to increase the search space required to conduct a brute force attack. If you are using a password which contains letters, numbers and symbols, every additional character multiplies the time required to brute force attack it by around 80 times.
2: No password on the list of 1 million most used passwords can be used.
This, on paper sounds like a draconian requirement, but in reality once you exclude the ones under 10 characters (rule 1), there are around 130,000 remaining. The rational behind this is that, if a brute force attacker cannot try to guess every short password, they will instead start to try the most common passwords. By disallowing both, it makes it very difficult for an attacker to gain access.
3: Your password cannot be equal to your username, your email address, or this URL.
This is a fairly obvious rule, but I'm spelling it out to avoid any doubt
4: THERE ARE NO MORE RULES
This is exactly what it says on the tin. There are no requirements for "1 char each from: Arabic, Chinese, Thai, Korean, Klingon, Wingdings and an emoji". While again, this doesn't appear to make sense on paper, it is recommended by both Jeff Atwood (above), and the most recent US Government Guidelines.