If I know your site doesn't accept passwords of less that 6 characters, that is somewhere between 782,757,789,696 and 308,915,776 permutations , depending upon what other silly restrictions you have in-place, that I don't have to try. Why make my life easy?
Using uppcercase, lowercase and digits you have 62^6=56,800,235,584 combinations---a whopping 0.000000002% of the remaining search space if we assume an upper limit of 12 characters. That's like making your work easy[tm] by shaving 50 µs off your 8 hour working day :)
This only becomes relevant anyway in the worst case of someone getting to your password DB. Nobody's gonna try that many combinations online; under the completely unrealistic assumption of 1000 parallel connections that each try 10 passes a second it would still take over two months. What people (and password crackers like John the Ripper) do first is take a dictionary, try that, then reverse, substitute some letters with more or less obvious digits, rinse and repeat. Password policies are supposed to keep people from using "dog", "johN" or "m0mmy" as passwords that indeed have a chance of being found by such attacks. They save an attacker a negligible amount of time if he's really going to try all combinations but not having any saves him close to 100% because he can count on some people stupidly choosing a dictionary word or the like.
In reply to Re^4: Password strength calculation
by mbethke
in thread Password strength calculation
by cavac
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |