How do password restrictions help security?

Question

On some sites there are certain restrictions on what characters should be used in passwords. For example, it must contain at least 1 digit, 1 alphabet symbol, etc. Does it really make password harder to guess? It seems that bruteforcing such password is easier than arbitrary one. I've looked up for similar questions, but those address password length restrictions, which seem reasonable to me (minimum length, of course).

Answer 1

By making passwords meet a larger set of conditions, some feel that they increase the security of their systems. I would argue against that. Lets take a minor example:

Password of 4 characters where 1 must be capitalized (i.e. a letter), 1 must be a number, and all entries are a letter or number. Then you have:

26 letters 10 numbers 62 letters/numbers 62 letters/numbers

That gives

26*10*62*62 combinations (for one ordering)

However, if we simply limit to all letters/numbers only then we get

62*62*62*62 combinations

It's obvious which is larger.

Now, remove the limitation of letters/numbers and allow every UTF-8 character (including space, ofc!) and that gets much larger.

By requiring certain characteristics of a password other than minimum length, the total number of combinations is reduced and that implies the overall security is reduced.

EDIT: It helps and does not hurt to have a list of passwords which are disallowed. For example cuss words, common pets names, etc. As those increase hackability while decreasing security.

Answer 2

In math, it's called Permutation.

http://betterexplained.com/articles/easy-permutations-and-combinations/

For easy examples:

• only 5 digits numbers, there are 10*10*10*10*10 possibilities. ddddd: 10*10*10*10*10
• only 5 alphabetic characters, there are (26+26+10)^5 possibilities. xxxxx: (26+26+10)^5

More possibilities take more time to hack your password.