This has me scratching my head. Every article I have seen on password security says that including upper case and lower case letters makes for greater security. OK, that is common sense since there are more possible combinations for a brute force approach to attack.
But how many more combinations? One might say that 26 lowercase letters plus their capitalized counterparts doubles the available symbols.
On the other hand, as a practical matter an uppercase letter is achieved by hitting the "Shift" key prior to the target letter. So one might argue that adding upper case letters really only adds one more symbol, namely, the ocassional insertion of a "Shift" into the password keystroke combination.
That represents more security since passwords are now longer and the length is less predictable. For example, suppose a site requires a six letter password. "abcdef" would qualify. However '[Shift]abcdef' (which would appear as Abcdef) would also qualify even though it is seven keystrokes.
I suppose I should unearth a question here. Let's start with 6 letter passwords, all lowercase. There should be 26^6 combinations, from aaaaaa to zzzzzz.
Adding caps might be modeled as creating 52 possible six-character combinations, so the total available is 52^6, which is 2^6 or 64 times more possibilities than lower case only.
But suppose we model the possibilities as the sum of:
(1) all six letter lower case combos;
(2) all seven stroke combos (six letters plus a shift);
(3) all eight stroke combos (six letters, two shift):
and so on to
(7) all twelve stroke combos (six letters, six shifts)
My common sense is telling me that if the second approach exhausts the possibilities for mingling upper- and lower-case letters it must give the same answer as the first approach, i.e., 52^6.
Hmmph. Normally this sort of problem holds my attention when the alternative is finalizing my taxes; I don't know why I am locked up on this now.