Quote Originally Posted by JoeEkaitis View Post
Steve Gibson's Password Haystacks page dispels the conventional wisdom about passwords, i.e.: a long random string of characters takes longer to crack with a brute force attack than an easy to remember phrase.
That's not wrong.

Then again, no security expert with whom I've interacted has said this. There are four criteria generally accepted:

  • Nine or more characters in length
  • At least one capital and one small letter
  • At least one number
  • At least one "non standard" character ( like (,#,/,),@ and so on)


And if at least three of those criteria are met, that's considered a strong password. There are suggestions on how to apply these criteria. Like substituting numbers or symbols for certain letters. I've never seen randomness used as a criterion, though, except in high-security situations where password are kept in a kind of software "vault" and changed after each use (generally referred to as OTP, or One Time Passwords).