Re: Something's not right here
It's slightly more than that, as that excludes passwords that might be shorter than 10 characters which the attacker also has to check. But yeah, I had the same thought. Brute forcing a 10 alphanumeric character is definitely a non-trivial task.
Interestingly (depending on your view point...), adding 20 additional special characters only gives you around 16x as many possible passwords (82^10 divided by 62^10). Adding an additional alphanumeric character to the length of the password (taking it to 11) gives you 62x as many passwords (62^11 divided by 62^10).
Length is way more useful than special chars. In this use case, size definitely matters.
Confusingly, (and somewhat ironically) password rules can actually *weaken* the password set. If you insist on "at least one upper, lower, number and special character", you've removed some password possibilities that the brute force attack doesn't need to try anymore. But equally you've stopped a lot of dictionary attacks, so it probably balances out...
Biting the hand that feeds IT
