Clemson University recently forced everyone to update their passwords to ones considered secure by zxcvbn. This system is actually pretty good and breaks down password security very well. Unfortunately a lot of people are annoyed, and especially so because many people attribute a larger character space to more secure rather than length to more secure. Specifically, someone was expressing their annoyance that something that is roughly ‘
a!r^&B‘ was not considered secure enough. To make it clear with a simplification, extra character space increases entropy by
O(log(charspace)) where length increases entropy by
O(length). Obviously longer passwords are way better but we’ve a long way to go to convince people that everyone’s current notions of password strength are incorrect and that length matters more than anything else. Even just a short sentence is many orders of magnitude more secure than a short string of random gibberish. The first is more secure and easy to remember where the second is not very secure and hard to remember. In short, xkcd: Password Strength.