It's kind of a fun working out how many passwords that is.
So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:
62^2 * 64^6 = 264,157,668,573,184 passwords
However, passwords must contain a letter, number, and special character. This means that we can eliminate the entire letters + numbers set, the numbers + specials set, and the letters + specials set:
(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?
That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.
assuming you have unrestricted access to the user information, which to me usually means I already have unfettered access to your system, why would I need passwords?
Do many systems allow nearly unlimited attempts? Is this common on some platforms? For all except the most locked down users; single task; it pretty much is three strikes your out, call to fix your access.
So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:
62^2 * 64^6 = 264,157,668,573,184 passwords
However, passwords must contain a letter, number, and special character. This means that we can eliminate the entire letters + numbers set, the numbers + specials set, and the letters + specials set:
(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?
That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.