Not 100% following your final math, but it?s beside the point. Not adding requirements would result in the majority of users not taking advantage of the expanded options. Dictionary attacks would be infinitely more successful. Beyond that most passwords would be character strings.

The truth is that most systems that will have requirements as you mention will also have minimum password lengths, case sensitivity, and additional characters available. All of these serve to create a huge well of passwords that increase the time required to match by a computer. This also assumes you have the ability to perform such an attack bypassing security features limiting attempts and monitoring access patterns.

So, even if your point stands mathematically, it?s a drop in the ocean compared to forcing users to actually create a stronger password.

my math is that by creating the strength requirements, you exclude what would otherwise be part of the pool. In my example 26 letters plus 10 digits gives you 46,656 possible passwords ( I think my math is correct there), but requiring one letter and one number excludes 1000 possible passwords from the set (000, 123, 957, 514, etc) in that none of the possible passwords can be made up on only numbers.* If I am just trying to guess your password it is marginally easier to guess right when the pool of possible passwords is smaller. And yes, otehr measures are in place such as a limit on the number of attempts, but for the sake of this discussion we can ignore that as it is beside the point.

I take your point that most people are dumb and if given the choice would create easily guessed passwords (password is an amazingly popular password). But, that doesn't seem to matter.

Imagine that I want to crack the password fro a random user. I don't know them. I don't know how clever they are. What I know is the rules of the system from which I can begin formulating possible passwords. The larger the possible pool is, the more possibilities I need deal with. If the system allows numbers and letters I can't just assume that my mark was dumb and used only numbers. I have to work with what I do know, and that is that the pool of passwords possible contains both. But, if the system excludes some subset of combinations then I have a smaller pool to work from and an easier time of it.

I get that psychologically there may be some real world value in forcing people into more complex passwords, but again that seems beside the point.

* I oversimplified this terribly. For clarity I am focusing on the exclusion of the 1000 possible combinations that include only numbers. This rule actually excludes a much larger group of combinations than that (aaa, abc, xlk, etc), but I feel like the point is made just as well. And . . . it jut occurred to me that that is why you weren't following my math above. Sorry for that.

What you are describing is brute force hacking and the most time consuming attack method. It's why some systems require you to change your password every X number of months.

Let's look at the most common requirements. 8 characters minimum, at least 1 letter, and at least 1 number. Mixed case isn't required but recognized.

Character set = 62

Total possible passwords = 62^8 = 218,340,105,584,896
Total letter only passwords = 52^8 = 53,459,728,531,456
Total number only passwords = 10^8 = 100,000,000

Total allowable passwords = 164,880,277,053,440.

That's approximately 165 trillion possibilities. That's not even involving special characters. And that's the minimum. Adding one additional character increases that by a factor of 62. Now add one more. Now another. Length is the magic feature.

Imagine the number of passwords you'd need to be able to check per second to exhaust the list.

Now for some psychology.

Most of the numbers are going to be years, and most of them are still going to be from the 1900s. They're also going to be appended to the back of the password.
Most of the letters are going to be words or word combinations.
If numbers are not appended to the back of the string, they are most likely to be incorporated into a word. For instance the "a" in "thr4ll"...

You want a hard to crack password? Follow Randall's advice -> https://xkcd.com/936/

yes. That's good advice. The needlessly complex password is easier to crack and harder to remember. . I'd note that the sort of password he suggests is impossible in most systems due to the requirements discussed above. correcthorsebatterystaple contains no numbers or special characters. In a systme that allows, but does not require those things seems best.

And, as you note, length is the big factor but again, I would prefer a system with a minimum number of characters (say 9) but not necessarily a maximum.

...add a 1 to the end.

Ok.

Wanna talk about P vs NP?

I don't believe there to be a correlation, but that's based solely on instinct or rather what my innate understanding of mathematics immediately suggests.

To me it's one of a class of questions I think of as "god math". Someone suggests it, people debate it, and the parameters for proof on one end inversely correlate with parameters for proof on the other.

That largely aligns with my (extremely limited) understanding.

It's nice that we are here discussing something totally unrelated to the current mess. It really is.