Posted Oct 14, 2011 23:28 UTC (Fri) by rgmoore
(✭ supporter ✭
Parent article: Enforcing password strength
I think the XKCD reference is a great one. The truth is that most passwords or passphrases are very weak at using all the available entropy for a string their length. Requiring passwords to have at least one capital and one number will usually result in passwords that use a dictionary word starting with a capital and have 1 tacked onto the end- and that's predictable enough to incorporate into a cracking algorithm. Unless you use a completely random, very difficult to memorize password, the (available characters)**length approach will grossly overestimate password strength.
to post comments)