Thomas Gassmann

Note that these are only some rough calculations based on a set of strong assumptions I made at 1am. The same is not going to hold for techniques other than brute force.

Let's assume a very basic brute force approach. Let $r(n,m)$ be the ratio of possible passwords you can eliminate from your search, with $n$ being the password length and $m$ being the number of possible characters.

\begin{align*} r(n, m) & = \frac{\sum_{i=1}^{n-1} m^i}{m^n}\\ & = \frac{\frac{m^n - 1}{m - 1} - 1}{m^n}\\ & = \frac{m^n - m}{m^n(m - 1)}\\ & = \frac{1 - m^{1-n}}{m - 1} \end{align*}

Now, if we assume that $m, n \geq 2$ (notice that $m^{1-n}$ is strictly decreasing in $[2, \infty) \times [2, \infty)$):

$\frac{1}{2(m - 1)} \leq \frac{1 - m^{1-n}}{m - 1} \leq \frac{1}{m - 1}$

One interesting observation here is the following: even if your password was infinitely long, an attacker would still get some benefit from knowing the length of your password, the benefit of which at this point only depends on the number of characters that are allowed.

In practice, we can almost always assume that $m \geq 62$ (26 lower-case, 26 upper-case, 10 digit characters), which gives us the following bounds:

$\left[ \frac{1}{122}, \frac{1}{61} \right] \approx \left[ 0.008197, 0.016393 \right]$

i.e. even in the worst-case scenario, an attacker would only have approx. 1.63% fewer options to try.