Size is all that matters
Password complexity requirements really piss me off. While it isn’t my favourite activity in the world, lets do some math.
There are 52 characters in a-zA-Z. There are approximately 80 characters in a-zA-Z0-9 plus symbols. So for a password where the minimum requirements for a password include a lowercase letter, an uppercase letter, a number and a symbol, with 6 characters, is 80 to the power of 6, which is 262,144,000,000 combinations. Well gee, that’s a lot. It sure must take a bruteforcer a long time to crack that. Well, not really. This page I found for benchmarking CUDA with md5 calculates everything in millions-of-md5-hashes-per-second. That’s one computer, using consumer (albeit high-end) equipment. It wouldn’t take long to bruteforce that.
What if the password requirements were only a-zA-Z but SEVEN characters? 1,028,071,702,528 combinations. An order of magnitude more combinations, but with very lax character requirements.
Sysadmins, stop terrorizing us with your crazy password complexity requirements! If you want your passwords to be safe, make them long! A 12 to 20 character letter-only password can be far easier to memorize AND significantly stronger.
