Let’s say you need to create a password with just the letter A and B, and for the sake of argument let’s say it’s 3 characters long.

You have different options like aaa, bbb, aba, bab, aab etc. Rather sooner than later someone would be able to guess your password easily.

Now let’s say you can now add C and D in there also. Now there are much more combinations, so the hacker has to guess for longer to find out your password.

So the more characters you add, the longer it takes to guess that password.

>If my password was long enough why wouldn’t any type of characters be fine?

Yes, it’s better to have a long password that you can remember, like MyGruesomeLeafblowerTeddybear than something that’s shorter but has more characters like @h&Y-61jk.

By adding non-alphabetic characters to passwords, you increase the number of unique permutations by a huge amount. More permutations means, of course, more time required for computers to find the correct permutation. If the password was both long enough (8 characters?), and complex (94 characters available), and randomized (i.e. not recognizable phrases) the number of permutations would be so great that even the most powerful computers (or arrays of computers) couldn’t solve the password within a practical period of time (like, more than a lifetime; given enough time, any computer tasked with this would eventually crack the password).

That approach, however, is/is becoming obsolete. Computers are increasingly powerful, where you now have desktop machines and networks that would leave early supercomputers in the dust. Given that, the current thinking is that *longer* passwords – even just alphabetic passwords – provide better security than shorter, complex passwords. In addition to the evolving need, we have tools (like password apps) that allow humans to manage long passwords (something that wasn’t available when we started widespread use of passwords). It’s probable that you’ll start seeing an increase in character min/max for passwords because of this (along with more two-factor authentication).

Of course… this is all moot with the advent of quantum computing.

Yes, you’re correct. If you just use random lower case characters each additional letter you add increases the difficulty of brute forcing the password more than just adding a number.

However most people don’t use random letters for their passwords, they use words. Passwords based on words only are susceptible to dictionary attacks (guess your password as one or more words found in a dictionary), which make it easier for someone to crack your password.

Requiring a combination of letters, numbers, and special characters makes it harder to crack because those dictionary attacks are no longer an option and the number of combinations that someone would have to try in a brute force attack dramatically increases.

For example, in a dictionary attack, there are approximately 171k words in the English language. A random eight character password with only lower case has 26^8 possibilities (208,827,064,576). Requiring upper and lower case characters increases this to 52^8 possibilities (53,459,728,531,456).

Adding numbers takes this password to 62^8 possibilities (218,340,105,584,896), and finally special characters is 95^8 (6,634,204,312,890,625). That’s 6.6 quadrillion options, approximately half of which must be tried to brute force.

To your point however, a 12 character random password with only lowercase letters has 26^12 possibilities (95,428,956,661,682,176). So long story short, a longer password is almost always better than a password with more character types.

The best passwords are those that require two or more types of authentication, and when it’s an option, you should always go for multi-factor authentication.

Adding characters (eg numbers) adds complexity and increases the time it would take to crack a password with brute force. However, adding length has a much bigger effect. So yes – a longer, simpler password will probably be harder to crack.

Pick a number from 1-100.
Your pretty limited in your options if you only use digits, as you have 10*10 choices as each digit can only be a number.

If you replace the numbers with letters, you have 26*26 (676) options (a-z..a-z).

If you use numbers and letters, you have 36*36 (1296) options.

If you add just the symbols you can get with shift and numbers, you get 46*46, 2116.

Each additional character/option increases the number of possible passwords by a significant amount.

Keep in mind that’s only referring to 2 character passwords.

Because they don’t try passwords at random they have list of passwords that are common and with variations that they go through in order of rarity.

If that fails then then you go through every possible password if you really and even this isn’t truly random because you’ll usually attempt all passwords of common lengths first.

It’s far easier to defeat the human than the computer.

The official advice by security experts now states that a longer passphrase with no special characters is better than a shorter password with special characters

A passphrase is a series of words that are space seperated that will not be easily guessed with knowledge about its owner (for example: “pigeon fridge ectoplasm building”)

This advice is supported by academic research published in 2015 (Panferov, 2015)

Some standards bodies are currently trying to encourage all services to allow passwords of up to 64 characters in length

number of possible characters x number of characters in string at its most basic form. imagine you only had 3 characters to choose from, and your password is only 3 characters long. that’s 3×3 right – there are 9 possible combinations. every time you add a character you make the number of possible incorrect solutions higher, and therefore more ‘expensive’ to crack. Any type of character is fine, an effective way to brute force is to run through a dictionary of terms, people are lazy and like words, drop a number in there and all of a sudden your word is no longer in a dictionary.

Its more options. Like just characters would be ~26. with numbers its 10 more. With symbols its even more. That makes brute force harder, time longer. Its quite difference to have 26^n (n is the length) or to have 36^n

I think the ultimate answer to this is the fact that humans *prefer* letters to digits and symbols.

If a lot of humans prefer letters to digits and symbols, then a reasonable hacker will first try passwords with lots of letters in them, and few (maybe even none) digits and symbols.

Incidentally, it’s not just numbers and symbols. In theory, even using *unlikely letters* such as X or Q makes your password less brute forcable, because humans prefer common letters like E. **It really just depends on what everybody else is using for their passwords.**

A hacker is armed with the knowledge of what passwords *generally* look like. Your goal, ideally, is for your password to look as little like other passwords as possible. Having numbers and symbols in your password only makes it more secure because enough other people have neither numbers nor symbols in theirs. Your goal is to be *unique*.