The theoretical perspective
Let's do the math here. There are 26 letters, 10 digits and let's say about 10 special characters. To begin with, we assume that the password is completely random (and that a character in one group is not more likely to be used than a character in another group).
The number of possible passwords can then be written as C = s^n
where s
is the size of the alphabet, and n
the number of characters. The entropy of the password is defined as:
log2(C) = log2(s^n) = log2(s)*n
Lets plug the numbers from the question into this:
s n Entropy (bits)
A 52 6 34.2
B 52 10 57.0
C 72 7 43.2
D 26 10 47.0
E 26 5 23.5
So in this scenario, C is only the third-best option, after B and D.
The practical perspective
But this is all under the assumption of randomness. That is not a reasonable assumption for how people generate passwords. Humans just don't do it that way. So we would have to pick some other assumptions for how the passwords are generated, and what order the attacker tries them in her dictionary.
A not unreasonable guess would be that many dictionaries begin with words, and only later move on to making substitutions and adding special characters. In that case, a single special character in a short password would be better than a really long and common word. But on the other hand if the attacker knows that a special character is always used, she will try those passwords first. And on the third hand maybe the dictionary is centered around completely different principles (like occurrences in leaked databases).
I could go on speculating about this forever.
Why it is the question, not the answers, that is wrong
The problem is that there are many principles for how the password is generated to choose from, and I could arbitrarily pick one to make almost any answer the correct one. So the whole question is pointless, and only serves to obscure an important point that no password policy in the world can enforce: It is not what characters a password contains that makes it strong - it is how it is generated.
For instance, Password1!
contains upper case, lower case, a number, and a special character. But it is not very random. ewdvjjbok
on the other hand only contain lower case but is much better since it is randomly generated.
What they should have done
If you just stop relying on the very fallible and limited human memory the character set and the length stops being limiting factors that you have to weight against each other. You can have both in abundance.
One way to do this is to use a password manager. As Dan Lowe pointed out in comments, that might not be a workable option on a hospital. A second alternative is to use some kind of two-factor authentication (e.g. a hardware token or keycard) that makes the security of the first factor (the password) less important.
This is the responsibility of the system managers, and not the end users, to implement. They must provide the tools that allow the end users to perform their work in a practical and safe way. No amount of user education can change that.