I don’t know that it is. Password strength is based on how many tries it would take someone to guess your password. The simplest way to guess is to try every possible combination: “A” then “B” then “C” and after awhile guess “AA”, then “AB”… This is called “Bruit Force” and is used because following that pattern, eventually all passwords will be guessed. The downside of bruit force is that as passwords get longer the more tries it takes to guess the password. For example, if your password is 1 character long then there are only about 250 possible passwords to guess (all characters numbers and symbols). A computer can try all of them in a fraction of a second. If your password is 2 characters long, then there are about 250 * 250 or 62,500 possible passwords. still something a modern computer can do in under a second. Add a third character to your password and now you’re up to 62,500 * 250 possible passwords that have to be tried and you can see how as you add characters it gets a lot more difficult for even a powerful computer to try all the combinations. if your password is 10 characters long, then a hacker would have to try 250 raised to the power of 10–an exceptionally daunting task. The challenge with long passwords is that it gets increasingly harder to remember a long string of characters. One way to help remember a longer password is to use words: “4gx91pL$2ax7” is really hard to remember, but “GoldFishBowl” is pretty easy. A bruit force would need to try 250 raised to the 12 power passwords before it is guaranteed to find that password. But knowing that someone is using words and not any random character allows a hacker to reduce the number of passwords he has try. If he knows that you are using only upper and lower case characters the number of passwords can be reduced: 26 upper case letters, 26 lower case letters = 52 possible characters per length. The number of passwords he has to try is now 52 raised to the power of 12 guesses to find the “GoldFishBowl” password. Still a big number, but vastly smaller than the random list of characters. But a hacker can take that a bit further. If he knows that you are using words he can just try combinations of English words (or whatever language you speak). There’s no more than about 4,000 common words in a given language. If the hacker knows you use a combination of three words all he has to do is sort through all those combinations: 4,000 * 4,000 * 4,000 or about 64 billion passwords–Sounds big, but a modern computer can probably crank through that in few days or weeks. One final issue is that humans are really predictable in generating passwords. They use things like birthdays, common pet names, names of sports teams. There are lists available on the net that have the statistically most common passwords to try. If you use such a predictable password, you might as well be using a single character password because a hacker can guess it in the same amount of time.

in password cracking, each additional character exponentially increases the time required to crack the hashed password.

in password cracking, each additional character exponentially increases the time required to crack the hashed password.

It’s based on the hypothesis that the hacker would try to brute force it using every possible string by testing all characters starting with the shortest string.

If the hacker guess you’re using a group of words because it’s getting common, then he can try a group of 3 words in the 2000 most common words, and now they have only 8 billions combination. Around the same as 5 ASCII characters.

So 3 words is very bad if it gets common. It only works if no hacker think you could possibly do that. Since many people suggest that, that’s most likely a terrible idea.

Only because the user can remember three random words more easily than 12-15 random characters. A totally random password is harder to crack, but it does no good if the user can’t remember it and has to write it down or reverts to 12345 because he cannot access his device or files.

It’s based on the hypothesis that the hacker would try to brute force it using every possible string by testing all characters starting with the shortest string.

If the hacker guess you’re using a group of words because it’s getting common, then he can try a group of 3 words in the 2000 most common words, and now they have only 8 billions combination. Around the same as 5 ASCII characters.

So 3 words is very bad if it gets common. It only works if no hacker think you could possibly do that. Since many people suggest that, that’s most likely a terrible idea.

It’s based on the hypothesis that the hacker would try to brute force it using every possible string by testing all characters starting with the shortest string.

If the hacker guess you’re using a group of words because it’s getting common, then he can try a group of 3 words in the 2000 most common words, and now they have only 8 billions combination. Around the same as 5 ASCII characters.

So 3 words is very bad if it gets common. It only works if no hacker think you could possibly do that. Since many people suggest that, that’s most likely a terrible idea.

On the contrary there is a difference. It IS better to use random characters because while brute force techniques still have just as many characters to run through, this process can be sped up using rainbow tables or just plain dictionary files which significantly speed up the process.

Only because the user can remember three random words more easily than 12-15 random characters. A totally random password is harder to crack, but it does no good if the user can’t remember it and has to write it down or reverts to 12345 because he cannot access his device or files.

On the contrary there is a difference. It IS better to use random characters because while brute force techniques still have just as many characters to run through, this process can be sped up using rainbow tables or just plain dictionary files which significantly speed up the process.