Take this hypothetical scenario (Okay, it really wasn’t hypothetical at the time). You recommend to your client that minimum 8 character passwords should be enforced but they want a minimum of 6 character passwords and instead they will enforce password complexity (alphanumeric and special characters).
As auditors we like to have facts to back-up our recommendations. What better fact than simple math.
Password strength in relation to the number of guesses an attacker needs to brute force the password is represented by the number of characters available to choose from raised to the power of the length of the password.