PASSWORD SECURITY IS COUNTERINTUITIVE:

“Your password must be 8 characters & contain upper, lower, digit & punctuation characters” => “Your password is now 2.14x easier to guess via brute force.”

We’re not joking; the number of 8-char passwords with the above constraint is 2807657387458560; the number without constraint is 6095689385410816.

The constraints slash diversity by more than 50%

source for proof; compute all possible permutations and reject those which don’t satisfy the constraints, and then multiply out:

Anyone who believes that 2.8 quadrillion passwords (2,807,657,387,458,560) is “a lot” needs to be aware that @hashcat runs at billions of hashes per second, nowadays.

At 6bn hashes per second, you exhaust the space in 5 days & 10 hrs.