Changing Passwords


Clemson University recently forced everyone to update their passwords to ones considered secure by zxcvbn. This system is actually pretty good and breaks down password security very well. Unfortunately a lot of people are annoyed, and especially so because many people attribute a larger character space to more secure rather than length to more secure. Specifically, someone was expressing their annoyance that something that is roughly ‘a!r^&B‘ was not considered secure enough. To make it clear with a simplification, extra character space increases entropy by O(log(charspace)) where length increases entropy by O(length). Obviously longer passwords are way better but we’ve a long way to go to convince people that everyone’s current notions of password strength are incorrect and that length matters more than anything else. Even just a short sentence is many orders of magnitude more secure than a short string of random gibberish. The first is more secure and easy to remember where the second is not very secure and hard to remember. In short, xkcd: Password Strength.