Yep. And yet many many many people are taught the holy triad of "at least one uppercase one lowercase and one special character!"
Since most strings following these rules are hard to remember, and humans being humans, we get passwords that follow simple, predictable, and easily guessable patterns like
aAbBcCdD1234!
Follows every rule in the holy triad and is likely to be cracked in seconds from some rainbow table.
There are two points to add: (1) If you use a randomly generated password of upper/lower/punctuation that's 63^length; (2) Four words is vocabulary^4.
One breakeven point is 63^10 (9.8e17) ~ 20000^4 (1.6e17).
This is being quite generous to the four words as the likelyhood of word selection from the vocabulary would be far from uniform. Also offset by the fact that shorter length passwords are brute-forced. If four-words became the dominant meta then we could instead have brute force applied to the word dictionary forms.
Use shuf(1) to pick words reliably randomly from /use/share/dict/ dictionaries. It is not a mistake to misspell the words proposed, but not necessary. Preserving capitalization is not necessary.
6 comments
[ 3.4 ms ] story [ 26.1 ms ] threadSince most strings following these rules are hard to remember, and humans being humans, we get passwords that follow simple, predictable, and easily guessable patterns like
Follows every rule in the holy triad and is likely to be cracked in seconds from some rainbow table.https://en.wikipedia.org/wiki/Diceware
One breakeven point is 63^10 (9.8e17) ~ 20000^4 (1.6e17).
This is being quite generous to the four words as the likelyhood of word selection from the vocabulary would be far from uniform. Also offset by the fact that shorter length passwords are brute-forced. If four-words became the dominant meta then we could instead have brute force applied to the word dictionary forms.