8-9 character passwords are very insecure unless they are completely random. So you better define what you exactly mean with a "complex password".
Trying all possible combinations with a simple mask like that is extremely inefficient and is only needed if 8-9 character passwords are indeed truly random and computer generated.
To give you an example, if a user types a random passwords, keys are often adjacent, some are more frequent than others and caps and numbers are often grouped together. So it easy enough to hack up to a length of 12 characters or so of 'semi randomly typed' passwords. Most users don't even bother to try to be random, so with a dictionary or mask, followed with some rules, most 8-9 character passwords are hack-able i seconds to minutes since they follow predictable patterns and use words or at least syllables.
Trying all possible combinations with a simple mask like that is extremely inefficient and is only needed if 8-9 character passwords are indeed truly random and computer generated.
To give you an example, if a user types a random passwords, keys are often adjacent, some are more frequent than others and caps and numbers are often grouped together. So it easy enough to hack up to a length of 12 characters or so of 'semi randomly typed' passwords. Most users don't even bother to try to be random, so with a dictionary or mask, followed with some rules, most 8-9 character passwords are hack-able i seconds to minutes since they follow predictable patterns and use words or at least syllables.