Originally Posted by
State of Trance
Assuming all ASCII characters #33 through #126 (uppercase, lowercase, numerals, and basic special characters) are eligible, a password of length n has 94^n possible combinations. Similarly, a password consisting solely of lowercase characters of length p only has 23^p. Thus, password strength is roughly equal when 94^n=23^p.
For example, let's assume n=8 (e.g., Aj&8l@z!). At p=12 (e.g., flyertalkone), the all lowercase password becomes "stronger" than the mixed character one.
Now, for simplicity, this example assumes that the password is being subject to a "brute force" attack, where all combinations equally likely. In real world practice, including dictionary words would decrease the entropy (randomness) of your passwords, but the point remains that length increases entropy considerably more than increasing the complexity of the character set.
You can use various
password entropy calculators online to see this for yourself.
I agree with your math.
But that is not the only issue. Unless you are using a password store of some sort, then you have a trade off of recall ability vs strength, and special characters help on this.
The only way most humans can remember a long string of letters is if they have meaning. And that puts a dictionary in play.