If an attacker doesn’t know the possible input combinations for a valid password then they really have no choice but to try all of them but they can still simplify things a bit. If there are mandatory symbol combinations it gets much, much harder.

A lazy brute force attacker might try 0-16 symbols all lower case first, followed by 0-16 symbols all upper case, then 0-16 symbols mixed upper and lower case, followed by 0-16 symbols of just numbers, followed by 0-16 symbols of mixed uppercase, lowercase, numbers, and exclamations.

There are 26 letters in the Latin alphabet, 10 numbers, and plenty of additional symbols such as punctuation marks.

26 lower case symbols, 26 upper case symbols, 10 numeric symbols, and 18 other printable symbols is 80 possible symbols per symbol in a passcode.

If we allow only numbers and limit a passcode length to 4, then we have 10^4 possible input values, or 10,000. That’s chickenshit for any computer to brute force.

If we allow any combination of letters, numbers, and symbols with a minimum passcode length of 6 then a user with a password that contains only 6 lower case letters will require only 308,915,776 guesses at most. A lazy attacker will inevitably breach a few accounts with unsophisticated passwords assuming no lockout policy. Someone will inevitably use ‘passwd’ as their password and this will get brute forced.

If we require our password to have at least one upper case letter, one lower case letter, one number, one of 18 valid symbols (eg, +÷=<>), and a minimum length of 8 characters then the maximum number of attempts before a breach is guaranteed balloons to 1.66E+15, or 1.67 quadrillion. Attempts to find poor passwords using this method just won’t work. Small input fields such as 6 lower case characters will never work so it’s not even worth trying.