an 8-letter password with only letters (upper+lower case) would have 52^8 combinations.

an 8-letter password with letters+numbers has 62^8 combinations.

They have to brute force 100 million more combinations of letters+numbers.

A lot of brute-force attacks are just using dictionary words. But going from ‘password’ to ‘p4ssw0rd’, they must have a lot more combinations to try.

It’s stronger because it forces them start with a larger dataset to narrow down from.

That said, the easiest way to make a password stronger is length, not complexity.

This is a good explanation: https://xkcd.com/936/

(KXCD Password Strength; correcthorsebatterystaple)

If the hackers know that you’re required to include numbers, then they have to include numbers in a brute force attempt. If they know that you’re allowed to use a less secure password, then they’ll start by checking those.

A brute force attack won’t just go through all possible combinations randomly. They start with lists of common passowrds, move on to dictionary words, word combos, random letters, random letters + 1 number, etc.

No, it’s not necessary to include numbers in cracking attempt if you know there are passwords in the targeted datasets without numbers. You don’t aim to crack all exposed passwords, that’s unlikely to be possible, you aim for the lowest hanging fruit you can reasonably get.

Brute force is looking for a needle in a haystack. Adding numbers and characters makes a bigger haystack.

Brute force attempts to guess a password are basically useless against a properly designed authentication system. Websites lock people out after a few attempts, so generally in order to guess your password they need to have gotten the database of hashed and salted passwords first so that they can run all of the attempts on their local machine (websites don’t store your actual password- they put it through a one-way hash so that they can only verify that you are giving them the correct one without ever storing the password itself).

Even doing that, though, is extremely difficult if the passwords are just random characters. There are just far too many combinations.

So hackers don’t rely on that kind of “brute force” attack. What they do instead is rely on people having weak passwords, like “password”. There’s a commonly available list of passwords that people use, so they start with those and see if they can get into anyone’s account with them. By forcing people to use numbers and letters you make it much harder for people to wind up using the same few common passwords over and over again.

The actual difference between the number of combinations between 10 letters and 10 letters + numbers is almost beside the point. The real point is to disrupt the most common patterns people fall into so that a hacker can’t just take a list of 100 commonly used passwords and try them against your 100,000 users and rely on at least some of them having used “qwerty”.

If you don’t force people to use numbers/characters then 90% of people will be lazy and just use common words. This would mean when brute forcing, a hacker could stick to letter to brute force faster. This would cause a handful of passwords that actually use numbers to be even more secure but the people that use only letters (most people) would be even less secure

Counter question: why is “password” any less secure than any other 8 character password? If the attacker goes straight to attempting a brute force with all allowable characters, it’s just as secure any other password. But an attacker is likely to try “password” along with any other commonly used passwords before attempting a brute force attack.

The same goes even for random passwords that can’t be cracked with a dictionary attack. If an attacker thinks there is any chance your password is only letters, they’ll try brute forcing only letter passwords before attempting to brute force alphanumeric passwords, before trying to brute force passwords with special characters. That first only letter attempt will execute much faster, so the password is less secure.

Edit: guys I’m aware that dictionary attacks exist. OP was asking about a brute force attack, and I was using “password” as a hyperbolic example for why some passwords are obviously less secure despite being equivalent under a raw brute force through the entire key space.

The first thing to understand is that passwords aren’t usually guessed by trying through the website. Instead if a website gets hacked the list of all passwords will be downloaded. Now this password won’t be that useful as it’s all encrypted^1 but you know the way the encryption works so if you guess the password you can run the same algorithm on it and check that the garbled output you get matches the garbled password in the stolen list of passwords.

Guessing passwords with brute force is almost never used these days.

Instead attackers scrape already cracked real passwords from datasets of hacked websites in the past (the website might have been poorly built making it easy to get guess the password quickly) and use those to create a dictionary.

Rather than guessing aaaaaaa, then aaaaaab etc. they’ll first try every password in their dictionary of passwords, then try every password but replace i’s and L’s with 1’s, A’s with @’s etc. and try all those combinations. It’s still a lot to try but it’s way less than guessing every password with brute force, and it’s way faster as you’ll get the vast majority of the database of passwords in the first few runs through.

So the reason having numbers and letters and characters is important is not because it’s harder to brute force (although it IS), but because you want a password that’s never been used before and the more different types of characters you have the more likely whatever you choose will be novel.

^1 Yes I know it’s not actually encryption but hashing (and salting), but this is ELI5 and most people kinda get what encryption is so it works for this simplified explanation.