zxcvbn [1], the best simple password strength estimator I'm aware of, gives "correct horse battery staple" around 62 bits, and "Tr0ub4dour&3" around 30 bits (cracked in a day). ("ILoveTacoAndBurgersWhatever1984", suggested below, 53 bits).
> Yes. Knowing the password rules limits the space that'd need to be bruteforced.
Yes, but not that much, really:
1. Giving away the length of your password doesn't help the attacker much. For realistic scenarios, testing all passwords with length < N takes less than 2% of the time of testing all passwords with length N.
(The proportion of passwords with length < N to passwords with length N is approximately 1/M, where M is the number of distinct symbols (here about 60). Exactly it's (q-q^N)/(1-q), I think, where q=1/M.) So, even if you use only numbers, telling the attacker the length of the password gives them only a 10% edge.
2. Knowing that a 10 letter password contains at least one number excludes about 1/6 of passwords ((50/60)^10). So, that's less than one bit. Similarly with special characters etc.
TL;DR: Telling an adversary the length of your password doesn't really help them. Telling them password rules (contains a number, etc.) helps them more, but adding just one more character to your password increases the difficulty more than knowing the password rules decreases it.
What one is really trying to estimate with a "strength estimator" is how much entropy needs to be used to crack it when the generation method is known (Kerckhoff's principle, sort of). So what one really needs to look at is the generation method, not the resulting password.
> Yes. Knowing the password rules limits the space that'd need to be bruteforced.
Yes, but not that much, really:
1. Giving away the length of your password doesn't help the attacker much. For realistic scenarios, testing all passwords with length < N takes less than 2% of the time of testing all passwords with length N.
(The proportion of passwords with length < N to passwords with length N is approximately 1/M, where M is the number of distinct symbols (here about 60). Exactly it's (q-q^N)/(1-q), I think, where q=1/M.) So, even if you use only numbers, telling the attacker the length of the password gives them only a 10% edge.
2. Knowing that a 10 letter password contains at least one number excludes about 1/6 of passwords ((50/60)^10). So, that's less than one bit. Similarly with special characters etc.
TL;DR: Telling an adversary the length of your password doesn't really help them. Telling them password rules (contains a number, etc.) helps them more, but adding just one more character to your password increases the difficulty more than knowing the password rules decreases it.
[1] https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-pass...
https://www.bennish.net/password-strength-checker/