Why random character password is considered “weaker” than catchphrase with letters and symbols?


Why random character password is considered “weaker” than catchphrase with letters and symbols?

In: 2

The logic is that you want a password which is easy for you to remember but hard for a computer to guess. Computers are excellent at guessing random letters and symbols, however you have a hard time remembering them. So you can only remember short passwords. The way human memory works makes it easier to remember places, actions and items rather then random characters. But there are so many possible words that computers have a very hard time guessing which words you used.

Length is a far better defense than complexity

You can measure password complexity by measuring the [“bits of entropy”](https://en.wikipedia.org/wiki/Password_strength#Random_passwords) basically how many possible combinations there can be which determines how hard it is to guess from a database

Lower cases letters are 4.7 bits per letter so an 8 character lowercase only password (if you know its lowercase only) is only 37.6 bits hard

If you bump that up to using all available letters, numbers, and symbols then you get 6.555 bits per character so 52.4 bits. It seems like this should be a bit under twice as hard just by looking at 37 vs 52 but remember its bits here so 38 has twice as many combinations as 37 so its actually about 32,000x harder to guess (2^15) but adding all the symbols also makes it harder to remember

If you instead stick with lowercase only but go for a 12 character password you get 56.4 bits of difficulty without needing all the weird symbols that make it harder to remember

A catchphrase generally results in a simple but long password. CorrectHorseBatteryStaple is as strong as P4ssW0rd$ even if you know its basic words with capital letters at the front, and even stronger if you don’t.