A question about password length…

Right. So here’s a dumb question about password length. There are a great many sites where you have to register to use the service. Most of these sites require you to provide a user-name and a unique password. In order for your account to be secure, it’s in your interest to have a password that’s hard to guess. So the first thing that most sites suggest is that your password should be a certain number of characters long. The reason for this is that people will try to use passwords that are as simple as possible to remember and short-passwords are going to be easier to remember than long ones. So if you were doing a brute-force attack trying every combination of letters and people (on average) were using more passwords that were four characters long than seven or eight characters long, then you’d be able to break some passwords pretty quickly just by starting with the smallest words. So people stick on a minimum length of passwords. Which is interesting. So my first question here is: if you set a minimum password length of (say) six characters, how many people use exactly six, seven or eight character passwords? Doesn’t that make it easier for people to state ‘a large number of passwords will be of this length, so let’s target our efforts there’? Even if the maths involved is much nastier? I bet – for example – that loads of people have passwords that are combinations of two three or four letter words… What’s the maths like around this stuff?