Note: This doesn’t explicitly relate to programming, but I was hoping this can be explained from a programmers point of view.

There are two things I simply don’t understand about current ‘password strength ratings’. This all pertains to brute force entry. (If these ‘password strength ratings’ relate to any other type of breach aside from using a common/popular password please let me know).

1) Why does it matter if I include numbers/symbols/uppercase letters as long as the password system allows for the possibility of using them?

For example lets just say:

a) The systems accepted characters are a-z, A-Z, 0-9, and their “shifted values” ‘!’ to ‘)’, so 72 possible symbols.

b) I use a password of length ten, so 72^10 possibilities.

c) My password is not in the top 10,000 most common/popular passwords used. So 72^10 – 10,000 possibilties remain.

Wouldn’t an all lowercase password like ‘sndkehtlyo’ be identical strength as ‘kJd$56H3di’ since they both share the same possibility of including the additional characters? Doesn’t the brute force algorithm have to include those numbers/symbols/uppercase regardless of whether or not I use them? It seems like these rating systems believe a brute force attempt will try all 26^n lowercase passwords first, all 52^n passwords second, then all 62^n passwords, etc, etc.

2) Why does that even matter? I have yet to come across any password system that doesn’t lock you out after some small fixed number of attempts (usually 5). How can brute force approaches even work these days?

I feel like I am missing something fundemental here.