On 5/7/07, Snowolf mtazio@gmail.com wrote:
I've added a question to all en.wp's running RfA that asks candidates if their password is "[[..] alphanumeric? Formed by at least 8 characters? Not by words in the dictionary? Not in the weakest password list?".
Careful: most of these factors trade off against each other.
For example, an S/KEY pass phrase looks like "TWIG LET IFFY DATE RON CARL". All dictionary words, easy to type and remember... Yet it contains 64bits of entropy, which is far better than what you usually get when you tell people "mixed character classes, at least 8 characters, not words in the dictionary".
Most people given those restrictions type out letter patterns on the keyboard. Cracking programs like john the ripper have rules systems which predict such patterns with frightening accuracy.
The correct advice should be to use a phrase instead of a 'word'. "i like fluffy rice at 6am!" is a reasonably strong password. Throw in a short random string and you have something that isn't practicably crackable even by someone targeting only your account.... at that point someone who wanted to control your acocunt would have an easier time tricking you into running a password grabbing trojan.