It’s not immediately obvious, but it is pretty straightforward math. It has to do with password length vs alphabet size.
Let’s look at an 8 letter lowercase only password. For every letter, you increase the maximum number of passwords by 26 (the number of letters in the alphabet). So it would be 26x26x26x26x26x26x26x26 or 26^8 which is 208,827,064,576. This is a lot of passwords, but pretty easy for a computer to brute force.
Let’s add the ! symbol. This means there are 27 options or 27^8. The total number of passwords is now 282,429,536,481. A bigger number, but not by much.
If we only have lowercase letters but increase it to 9 letters long, then it increases to 26^9 which equals 5,429,503,678,976. We’ve jumped from millions of passwords to billions with passwords only 1 character more.
If you allow all symbols and numbers, but also increase minimum length, you get the best of both without creating difficult to remember passwords.
This of course ignores the primary way people get past passwords: by asking the user for their password. It also ignores that an intruder is going to check the most common passwords and not just try them all. Adding numbers and symbols doesn’t really change the most common passwords though, since dragon just turns into Dragon1!
Steve@communick.news 1 year ago
Relevant XKCD.
Longer pass-phrases are easier to remember, and more secure, than shorter pass-words with numbers and symbols.
If you’re using a password manager, make them long, with numbers and symbols also.