Requiring one of each special character doesn't narrow the attack space. You have to remember that the attacker doesn't know the password unless it's guessed correctly. They don't know the order and which characters satisfy which requirements. Therefore to the attacker, every character could be any of the 96. Character requirements enforce that a user takes advantage of the full character space and that the attacker has to try 966.
What if the attacker knows the rules of the system, though? If I were an attacker and I know that the password is exactly 6 characters and at least 1 special character is required, I don't need to bother checking abcdef, right?
Right, but it's a trivial difference. A difference more than made up by the fact that all your passwords had to be brute-forced in the full attack space. If for argument sake we keep a password of six characters with the full allowable space of 96 would be 966. A password of six characters using the full space with a required one special character would be (965) *34. The difference in those two spaces simplifies to 96/34 or ~2.8x. Consider now that without the requirement, you could try guessing passwords in a 26 or 52 character space, knowing that it is likely some percentage of people only had lowercase or alphabetic passwords. That would be a much smaller space and would probably yield a decent number of passwords. Ultimately length matters more than anything, and perhaps requiring a special character creates more attack vectors through social engineering. Real world security is hard all the way around I guess.
Requiring one of each special character doesn't narrow the attack space. You have to remember that the attacker doesn't know the password unless it's guessed correctly. They don't know the order and which characters satisfy which requirements. Therefore to the attacker, every character could be any of the 96. Character requirements enforce that a user takes advantage of the full character space and that the attacker has to try 966.
But they do know the password rules. So they can eliminate all passwords that don't satisfy them, and not even check those.
What if the attacker knows the rules of the system, though? If I were an attacker and I know that the password is exactly 6 characters and at least 1 special character is required, I don't need to bother checking
abcdef
, right?Right, but it's a trivial difference. A difference more than made up by the fact that all your passwords had to be brute-forced in the full attack space. If for argument sake we keep a password of six characters with the full allowable space of 96 would be 966. A password of six characters using the full space with a required one special character would be (965) *34. The difference in those two spaces simplifies to 96/34 or ~2.8x. Consider now that without the requirement, you could try guessing passwords in a 26 or 52 character space, knowing that it is likely some percentage of people only had lowercase or alphabetic passwords. That would be a much smaller space and would probably yield a decent number of passwords. Ultimately length matters more than anything, and perhaps requiring a special character creates more attack vectors through social engineering. Real world security is hard all the way around I guess.
Also, I'm not sure were OP got 270x... Is my math wrong?
I calculated it for all rules together. 1 lowercase, 1 uppercase, 1 digit, 1 special character.
That yields
96^4 / (26*26*10*34)
, which is about 370.