-3

I always hear conflicting things.

Should I use a long sentence? Or is this privy to dictionary attacks? Or should I use a long string of random alphanumeric garbage with upper/lowercase and numbers/symbols/etc?

user2175923
  • 21
  • 2

2 Answers2

1

A strong password is a random password. By "random" I mean: "whatever process produced that password could have produced a lot of other distinct passwords". "Entropy" is the name of the mathematical concept by which this randomness can be expressed. Take care that "password entropy" is a property of the process which generated the password, and cannot be measured on the password itself (regardless of what so-called "password meters" may claim).

This question is the classic reference here; see in particular this answer for what "entropy" means, and that answer for an important meta viewpoint, namely that a good password must have high entropy but also be easy to remember by human beings.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

I can't think of any better way to describe it than how XKCD did.

Woodsy
  • 39
  • 4
  • But isn't that technically just four elements of entropy if we assume the password is composed of words? – user2175923 Jan 11 '14 at 15:39
  • So define "element" in this context. If memory serves, there are about 2^18 words in English. And you're dealing with combinations: is it "correct horse battery staple" or "correct battery staple horse" or "correct battery horse staple" ...? Randall did the math, and he claims in the comic it provides 44 bits of uncertainty, yet it remains easy for a person to remember. – John Deters Jan 11 '14 at 17:44
  • 2
    @user2175923 The computer trying to guess the password won't know it's four different words - they are seen as one, long string of encrypted gibberish. Eventually the computer has to try every combination possible (for a brute force with no predefined rules) to get to that string, going from a, aa, ab, ac... b, ba, bc.. until it gets to those words. Think about how LONG that would take! – cutrightjm Jan 11 '14 at 19:47
  • 1
    THis is essentially a link only answer. Please add additional information to your post describing the contents of the link. – Xander Jan 11 '14 at 19:58