I have a space bar between every letter/number on my pass, on a mechanical keyboard typing your pass feels like playing guitar hero

Let’s try this simplified.

I’m thinking of a letter. You can try once per second to guess the letter. On average, it’s going to take you 13 seconds to guess the letter.

Now, I’m thinking of a string of letters that’s 6 characters long. That’s 154,000,000 seconds, or about five years. Wildly impressive!

Except… I need to remember the string, and so I’m likely to pick a six-letter word. Well, that’s an average of about 25,000 options. You’d be likely to get the right word in about six hours if you decided to guess words.

So now you have to add a number. And that makes things interesting. It could be five digits and one letter, and the letter can be anywhere in the string. It could be a five-letter word with a number at the beginning, or the end, or the middle, or swapped for a letter. It could be a 3- or 4-letter word.

And so brute forcing can’t easily assume just real words. With 36 options per character slot, out would take you 31 years on average to guess correctly.

Let’s do a quick example or two. For this we’ll assume all passwords are between 8 and 64 characters long.

Imagine the extremes:

– A password that can only have the capital letter “A” in it.
How many combinations does an attacker need to try? Easy to figure out.
8 characters long: AAAAAAAA
9 characters long: AAAAAAAAA
10 characters long: AAAAAAAAAA
and so on, until they reach the right password. If the right password is the one with 64 “A”s, then they’re trying (64 – 8 + 1 = 57) passwords. (the + 1 is because the 8 character long password is not excluded from the group.)
It’s trivially easy to check 57 passwords as an attack.

– Let’s jump up to a password that can have either an “A” or a “B” in each spot.
Now how many combinations does an attacker need to try?
8 characters long: AAAAAAAA, or AAAAAAAB, or AAAAAABA, or AAAAAABB, or AAAAABAA, or AAAAABAB, or AAAAABBA, or AAAAABBB, or AAAABAAA, etc….
As we can see here, even just an 8 character long password has way more combinations of possibilities. This isn’t even taking into account 9 character long passwords, or 10 character long passwords, or all the rest of the lengths.
Simply adding one more possible character in each spot drastically increases the possible passwords that have to be checked.

– A password that is one character long, but can be one of infinite characters (pretend we have infinite different letters/numbers/emojis/whatever that can be used).
The password only has one character in it! But… there are infinite possibilities. On average, the number of characters that has to be checked to find the right one is… infinite. (technically closer to infinity / 2, which, you guessed it, is still infinite.)

This also showcases that having more possible characters to choose from makes it drastically harder to guess the right password, no matter the length. Therefore, adding more choices of things that can make up a password makes it harder for an attacker to guess the password.

Brute force often involves dictionary attacks, which is literally using words and combination of words from a dictionary. As soon as you introduce numbers, symbols, mixed case you make that type of brute force attack exponentially more challenging.

You’ve either got to brute force from a combination of up to 26 unique characters (letters only) or 36 unique characters (letters and numbers). The more unique character combinations possible, the slower it is to brute force.

So much misinformation in this thread that could be addressed by watching this short computerphile video: