Yeah, that’s not optimal. My single-sourced, non-verified quick Google search tells me that brute forcing a 10-char password of lower case letters only would be instant, subbing out one char for an upper-case letter would increase to one month, and subbing out another char for a number raises that to 6 years. Simply allowing for a special char would take 50 years.

That’s assuming the password is truly random. Use a dictionary with some rule sets, and make some assumptions like people will probably just append a number to the end of their password, and you’ll knock those times down drastically.

There’s no excuse for not allowing your users to use safe passwords.