I think the XKCD reference is a great one. The truth is that most passwords or passphrases are very weak at using all the available entropy for a string their length. Requiring passwords to have at least one capital and one number will usually result in passwords that use a dictionary word starting with a capital and have 1 tacked onto the end- and that's predictable enough to incorporate into a cracking algorithm. Unless you use a completely random, very difficult to memorize password, the (available characters)**length approach will grossly overestimate password strength.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds