It makes for more different possibilities of what each character could be, and it makes it so your password won’t be found in a dictionary.

So eg: if your password was only numbers (0-9) and lowercase letters (a-z) then each character has 36 possibilities, right? so a 5 character password would have 36*36*36*36*36 possibilities. Now say you add uppercase letters and 15 different special characters. Now there are 77 possibilities per character, so 77*77*77*77*77 possibilities for what your password could be.

Edit: I understand there’s more to it and the latest suggestions have changed to using a longer password/password managers instead, this was just trying to explain the basic premise of OP’s question.

It doesn’t… It’s just that a password brute-forcing algorithm is likely to guess the passwords with just letters and numbers first, because those are the most commonly used. Most websites which have passwords with requirements like “add a number and a symbol and a capital letter and no english words” have the wrong idea. These restrictions make passwords slightly stronger but also make them much harder for a human to remember. The best way to create a strong password is to make it LONG. Something like “Eucalyptus Paraguay Dorian Petrified Hindenberg” is very easy for a human to remember. However, it would take a computer ages to guess, even if it only guessed passwords composed of 5 English words separated by spaces and with each first letter capitalized. In any case, if you don’t think your password is secure enough, you can just add another word. Then, take your password’s security and multiply it by the number of words in the english language and that’s how secure the new password is.

The short answer is that it means someone trying to guess your password using brute force they have to use a wider range of characters to test at each character greatly increasing the amount of time to find the password.

The long answer is that the industry is veeery sllllowwwly moving away from those kinds of complexity rules.

Why? Most passwords are not stolen this way anymore, they are stolen by sending phishing messages and having the user hand their password over willingly.

[NIST](https://pages.nist.gov/800-63-3/sp800-63b.html) now suggests not to create strict password rules anymore. Focus on “strength meters”, suggesting (but not forcing) longer passwords, and testing proposed passwords against lists of [compromised passwords](https://haveibeenpwned.com/Passwords) (and trivial changes) and only demanding password changes after a suspected or known breach.

The REALITY is that is DOES NOT make your password stronger. The now confessed moron that made that claim years ago admitted that he was 100% WRONG.

The best security is a LONG password. The time required to break a password is based upon LENGTH, not complexity. It’s been PROVEN that ridiculously complex passwords only leads to people writing them down because they can’t remember them.

It doesnt. If you want to make your password stronger, make it longer.

[XKCD explains it very concisely.](https://xkcd.com/936/)

I was told by a IT security guy that works for the Airforce that special characters are not needed. He said to make you password is 16 digits or longer and you should be safe. I dunno I’m not a security guy in the Airforce though.

The XKCD comic explains why the complexity rules are stupid. Words are easy to type and easy to remember, therefore easy to make long. Nonsensical random strings of lower and upper case numbers are hard to remember, hard to type… and likely to end up written down on a post-it note that’s stuck to the back of the monitor. Least secure password there is.

They don’t, there is a lot of research on strict requirements, and the NIST standards have updated to reflect this. The ability for the system you are accessing to accept a wide variety of characters is important, but length above all else, has proven to be the most useful thing.

As others have said, it increases the total amount of characters that the password could contain. The equation for the total amount of passwords is the number of characters the password could contain (lets say *n*), to the power of the number of characters in the password (lets say *x*). Or, ***n******^(x)***. This equation tells you how many **bits of entropy** are in the password. And the higher a passwords entropy is, the harder it will be to brute force.

So if we had just letters and numbers, we would have 52 (26 * 2, because capital letters and lowercase), + 10 (0 through 9), giving us an *n* of 62. If you had an 8 character password, the equation would be:

***62******^(8 =)*** **218,340,110,000,000**

A strong botnet could generate roughly a billion guesses per second, leaving the the maximum crack time for this password at 55 hours. (I’m glossing over some technical hurdles here, but that’s irrelevant for this discussion.)

**However**.

It may have occurred to you that simply having the *option* to use additional characters increases **n** and therefor increases crack time. This is partially true, but a brute-force attack is likely to be sequential, trying all lowercase combinations of letters first, then all alphabetical combinations, then all alphanumeric combinations, etc… (up to a certain character length).

**Still, the necessity of special characters is overblown in computer security.**

Increasing the base of the that equation, the **n**, does increase the total bits of entropy in the password, and thus the crack time. But increasing the **x** is actually more important.

Take 10^(5) = 100,000 for example. If I change that 10 to an 11, the result is 161,051. But, if I change that 5 to a 6, the result is 1,000,000.

The point here is that people end up using complex passwords for all these special characters, which end up being hard to remember. Alternatively, they use common substitution patterns like P4$$W0RD or H3110. This isn’t helpful what so ever.

Length is the most important property of a password. Memorability is the second most. Writing a password down negates its security.

**Want to know what a real secure password looks like?**

*Thisisaverysecurepasswordbecauseitissuperlongandthatmeansithasacrazyamountofentropy*

It’s just a sentence, with no special characters, and yet to crack it would take this many attempts: **26808809068614883 with a 126 zeroes after it.** Or, **2.6808809068614883e142.**

Brute forcing it would be impossible (except maybe with a quantum computer? But thats a story for another time.) However, a dictionary attack could actually reduce that crack time to realistic scales. A dictionary attack uses combinations of *words* instead of characters.

**The solution?**

Mix them. Allow for white space and special characters and all that jazz. Then, you can have passwords like this:

*This password is just too good to be forgotten! In 100 years I’ll still remember it! #secure! Best password ever, don’t @ me!*

You want stuff in there that will throw off a dictionary attack, and you want it long enough to negate a brute force attack. And as I said earlier, you want it to be easily remembered. Use pass-phrases or pass-sentences, not pass-words.

Now of course, a good password manager like Keepass bypasses all of this by generating super long and super complex passwords that’ll you’ll never have to remember. You only need to remember the master password (which should be something like what I wrote above.)

this may be controversial, but it’s security theater, and it really doesn’t.

expanding the **potential** set to full ASCII from the basic alphanumeric does increase entropy per bit. but because of how combinatorial math works adding more characters will always give you better security than expanding the set of possibilities for a character.

also, so long as **some** people use “special characters” (edit for the advanced students **or include them in your pssible salts**) then any attempt to crack the password will have to account for them.

it might matter a little bit if they steal an entire database of all user passwords, if the password database is designed **so badly** that a single weak password anywhere in it can be used to break the encryption of all passwords in the user database (see below for more on that)

in general it would be infinitely safer to allow alphanumeric but set a minimum of 16 or even 24 characters rather than allow 8-character passwords but make you pick passes that look like the quadratic formula threw up.

also, those super complex rules just make people write them down someplace or store them in often insecure ways.

TL:DR– it’s mostly useless old thinking, “ThisIsTheAdministratorPassForFallOf2019ForActiveDirectory” has tons more entropy than “aHs$@1k5p!S”

more on what I meant about cracking a stolen DB– there may be a **little** utility against a precomputed hash attack against a stolen password database which was designed very badly, because without nonces or with a single shared salt, a single weak password anywhere in the database can break the encryption.