Xennith wrote:
Correcthorsebatterystaple type passwords are great against bruteforce but less wonderful against dictionary hybrid attacks with a rule along the lines of %w%w%w%w. This kind of hybridised attack is gaining popularity and it really does perform very well against a wide spectrum of password types.
It's nice to see another contrarian. While xkcd is often funny, in this case, I also disagree with his assertion -- that 4 dictionary words comprise sufficient entropy. (I would love to know how that was calculated.)
In order of importance:
- Length (12+ characters; more is better)
- Large keyspace (upper/lower, numbers, specials)
- Minimize predictability (no dictionary words, not even leetspeak)
↧