A Good Password

You’ve Been Misled About What Makes a Good Password

Common advice on how to make a strong password is misleading, according to a new study of password-guessing techniques.

Tom Simonite | October 19, 2015

“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.
A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.

Source: http://www.rocking-minds.org/blog/2012-11-01/worst_passwords_of_2012

This 11-year-old is selling cryptographically secure passwords for $2 each. Girl makes Diceware passwords, rolled with real dice, written by hand, sent by mail. Source: http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryptographically-secure-passwords-for-2-each/ 

<more at http://www.technologyreview.com/news/542576/youve-been-misled-about-what-makes-a-good-password/; related links: http://www.eurecom.fr/en/publication/4711/detail/monte-carlo-strength-evaluation-fast-and-reliable-password-checking (Monte Carlo Strength Evaluation: Fast and Reliable Password Checking. Frederico Dell'Amico and Maurizio Fillippone. October 2015. [Summary: Modern password guessing attacks adopt sophisticated probabilistic techniques that allow for orders of magnitude less guesses to succeed compared to brute force. Unfortunately, best practices and password strength evaluators failed to keep up: they are generally based on heuristic rules designed to defend against obsolete brute force attacks. Many passwords can only be guessed with significant effort, and motivated attackers may be willing to invest resources to obtain valuable passwords. However, it is eminently impractical for the defender to simulate expensive attacks against each user to accurately characterize their password strength. This paper proposes a novel method to estimate the number of guesses needed to find a password using modern attacks. The proposed method requires little resources, applies to a wide set of probabilistic models, and is characterised by highly desirable convergence properties. The experiments demonstrate the scalability and generality of the proposal. In particular, the experimental analysis reports evaluations on a wide range of password strengths, and of state-of-the-art attacks on very large datasets, including attacks that would have been prohibitively expensive to handle with existing simulation-based approaches.]) and http://arstechnica.com/business/2015/10/this-11-year-old-is-selling-cryptographically-secure-passwords-for-2-each/ (This 11-year-old is selling cryptographically secure passwords for $2 each. Girl makes Diceware passwords, rolled with real dice, written by hand, sent by mail. October 25, 2015)>