Passwords – Why so complicated?

Share on facebook
Share on twitter
Share on linkedin

Were you ever told your password is missing a ‘special character’? Or that you need at least 8 characters? Is it just me, or have password requirements been getting a little bit more complex? 

An example message showing the requirements for a password. (Source: HashThat’s app)

Even though this may seem unnecessary for many, this increase in complexity is somewhat necessary. In this article, I’ll try to explain why through a simple game.

The Game

Part 1

For a minute, let’s imagine that we are playing a game where you need to guess one number from 1 to 3. Fairly easy, right? (For those playing – I was thinking about the number 2).

Part 2

Let’s up the game a little bit. This time, you need to guess a number from 0 to 9. Hmm, a bit more challenging. (For those playing – this time, I was thinking about the number 8).

Part 3

In the next level, you need to choose two numbers from 0 to 9. This means that, compared to the previous game, there are now 100 different possibilities (i.e. 102) against the last game’s 10 possible choices (i.e. 101). Getting even more challenging, right?

Part 4

Now, let’s see what would happen if all the character types often required in a password were available. In summary, the four-character groups are:

  • Lower-Case Characters (a – z): 26 characters
  • Upper-Case Characters (A – Z): 26 characters
  • Numbers (0 – 9): 10 characters
  • Special Characters (E.g. !, ., #, _, etc.): 4 characters (for this example)

Using these four groups there are now a possible 66 different characters per selection. (Working: 26 + 26 + 10 + 4 = 66 characters)

Therefore, when compared to Part 3, if we select 2 characters from the 66 characters available (with replacement), there are 4356 possibilities (i.e. 662) – an increase from Part 3‘s 100 possibilities.

Finally, taking the minimum character length of many websites (i.e. 8 characters), the same example would lead to around 360 Trillion (or circa 360,004,060,630,000) different password combinations (i.e. 668). Therefore, if a malicious user were trying to guess your password – it might take a while (assuming you set a random password).

Naturally, if you further increase the length of your password, the number of possible password combinations will continue to drastically increase.


In this brief article, we outlined one way how the (some would say) irritating password-released rules set out by most websites are actually there to protect us from different password-related attacks (e.g. brute force attacks).

In the next part of this blog series, we will look into common shortfalls that may still lead to a compromised password.

Table of Contents