> A rationale for this is presented in Appendix A Strength of Memorized Secrets.
The relevant part of which reads:
> The minimum password length that should be required depends to a large extent on the threat model being addressed. Online attacks where the attacker attempts to log in by guessing the password can be mitigated by limiting the rate of login attempts permitted...
>
> Offline attacks are sometimes possible when one or more hashed passwords is obtained by the attacker through a database breach. The ability of the attacker to determine one or more users’ passwords depends on the way in which the password is stored. Commonly, passwords are salted with a random value and hashed, preferably using a computationally expensive algorithm. Even with such measures, the current ability of attackers to compute many billions of hashes per second with no rate limiting requires passwords intended to resist such attacks to be orders of magnitude more complex than those that are expected to resist only online attacks.
My reading was not that it must be entirely numeric, but that there is no rule that it won't be. As in, an attacker cannot make any assumptions about the characters in the randomly chosen password, such as "well it won't be all numbers, so lets rule out all those possibilities The 6 character limit only seems to apply to randomly assigned ones, not to ones the user picks, which is where a strategy like "what about all the number combinations" is more useful.
Any kind of bias like that is potentially exploitable, though. If the rule allows "only numeric", and that's the simplest thing to implement, then someone's going to implement it that way.
Which means that an attacker now knows that moving "only numeric" to the beginning of their attack sequence may be a viable strategy. Whereas if the rule did not specify, the attack would not be able to make assumptions about the character set.
That provides one million possibilities. I don't think you're missing anything. That's pretty terrible.
The only thing prolonging your account at that point is the service's rate-limiting, assuming a naive "enter this password in the login field, try it, repeat."
On the other hand, if you have too many password requirements and the user can’t remember it, they often lean on bad password hygiene, and the password ends up being reused (and inevitably leaked) or written down somewhere.
Rate limiting can be practically strong for everyday use. Bank PINs are commonly 4 digits, though the chip+PIN system allows up to at least 6. Three attempts and the card is locked. Provided you stop users from picking obvious numbers like birthdays, it's pretty effective at preventing card fraud.
Weak passwords can be fine, provided rate limiting is extremely aggressive. You can adjust this based on access e.g. your admin account might be locked under stricter heuristics like a single attempted login outside your geographic region (Live mail does this to me sometimes). In this case the user might even have the correct password, but if something else doesn't add up then you can block.
But if you actually tried to use 6 digits you'll discover most layers never tested it, including some of the most common point-of-sale systems and many ATMs not operated by your bank. Plus, tellers at your bank won't believe you.
My debit card in Switzerland came with a six digit pin - which was a surprise coming from the UK - and it works fine in other countries (Germany and Italy at least). But chip and pin is well known established in Europe so that's not too surprising.
I interpreted it backwards, "if you want to use a numeric keypad for controlling access to something, the codes MUST be at least 6 digits long, and you MUST assign them"
Re: entirely numeric, as long as the attacker assumes that the victim may use letters in their password, all numbers is fine, it increases the total number of possible combinations an attacker needs to work through
