If a hacker got the password file, which is encrypted, it could be deciphered by comparing the text string against known words that were encrypted the same way. Adding extra characters, numbers, and symbols makes it far more difficult to crack them.

You are right that a string of letters that are not words does have enhanced security, but you can’t test against that easily when someone creates a password. Adding those extra characters and symbols ensure that it will be more secure.

The security of a password is measured by how many guesses a hacker would have to make before they find your password. The more possible passwords you *could* have chosen, the more they have to guess.

If your password has to have an uppercase character in it somewhere, that increases the security. You have five characters, so if you randomly choose one to make uppercase, that’s five times as many passwords the adversary has to go through. Even more so with numbers.

All that said, this is a terrible password requirement. Making you use one uppercase letter and number can increase the number of possible passwords a bit – maybe 10-100 times if you’re good at choosing randomly. Adding two characters to the end of your password multiplies the number of possible passwords by many hundreds. In fact, more recent guidelines from NIST have advised companies to drop the requirements for uppercase letters or numbers, and instead just have a minimum length requirement.

There’s also a usability side. It’s much easier to remember two extra characters than to remember which characters you made uppercase, and which ones you turn into numbers. [This xkcd](https://xkcd.com/936/) was somewhat influential in popularizing this point, and it provides a very secure and memorable way to generate good passwords. Of course, the most secure way is to use a password manager, which can generate passwords that are so secure it would take millions of years to guess them correctly.

The idea is that it increased the entropy of the password. If you allowed just lowercase words, then you could easily breach a password with a standard dictionary attack (there are only about 170k words in English – a trivial amount for a brute force attack).

By forcing at least one of those to be a capital letter, you exponentially increase the number of possible passwords – even more so if you require numbers as well. **password** would show up in a standard dictionary attack, but **pa$sW0rd** would not – the attack would need to include millions of additional guesses to cover all of the permutations.

That all said, this is somewhat archaic advice. Password complexity requirements like this end up creating _less_ security, because people reuse or write down passwords they struggle to remember. Most security experts agree that passphrases are a better solution, particularly when combined with one-time passwords from TOTP apps.

When you use only lowercase english letters, there are only 26 choices, so the number of permutations that can be made would be 26^n where n would be the length of the password.

Now, if a hacker is using Brute force and trying every combination, he needs to try only 26^n times, not a lot when we have good computation powers. Almost no hacker would ‘guess’ the password. It’s very rare and almost stupid to do unless you know the person you are trying to crack the password of, REALLY WELL. Also, if you Uppercase random letters in the password and throw in symbols, guessing is virtually impossible.

So let’s say you use numbers now. You add in 10 more values. The number suddenly becomes 36^n.

And now if you use uppercase letters too, You have 26 lowercase, 26 uppercase and 10 digits, 62^n permutations or possibilities!

Now we have a lot many standard symbols, if you use them too, this number would further increase.

The brute force would take significantly longer time, often in years

If you don’t know how permutations work:
https://en.m.wikipedia.org/wiki/Permutation

Edit: some minor corrections in number of digits