
XKCD - Password Strength - You are doing it wrong - markokocic
http://imgs.xkcd.com/comics/password_strength.png
======
alister
This is wonderfully counter-intuitive even for security geeks.

The point could be made even more concisely by saying that "correct horse
battery staple" and "}7m`5T-" are equally good.

Who would imagine that four randomly-chosen--but common--English words have
the same entropy as a 7-character password that selects from all 95 printable
ASCII characters. (2^44 = 95^7, more or less)

~~~
bartonfink
I'm not sure how it's counter-intuitive, though. Maybe my intuition just works
differently from most folks, but it seems self-evident that there's some point
at which a larger string of characters from a smaller alphabet has more
entropy than a smaller string from a larger alphabet. It's relatively simple
combinatorics that doesn't need a sophisticated analysis to demonstrate.

What bothers me is that so many people's intuition is wrong, which leads to
ridiculous policies. I'd have much more respect for a policy that tells me
"our minimum password length is 20 characters" than for the more usual policy
that states "our minimum password length is 8 characters, and for security
reasons passwords must contain at least one capital letter, one number and one
special character, and no characters can repeat, and this must be different
from your last 18 passwords, and this password will expire in 30 days..."

------
fexl
Diceware works well: <http://world.std.com/~reinhold/diceware.html>

I find it surprisingly easy to remember even a ten word passphrase, which has
about 130 bits of entropy. Such a long phrase is overkill for a web site, but
is good for encrypted drives.

