That is because we are focused on making "Hard to remember, easy for computers to guess" passwords. Encourage your users to come up with a non-sequitur phrase, they likely will have an easier time remembering it, and it will likely also have greater entropy than many of these hard to remember combinations. To steal from XKCD

We'll take a word (Troubador) and mutate it: Tr0ub4dor&3

This has ~28 bits of entropy, and would take at most 3 days to guess at 1000 guesses/sec, and is going to be hard for most to remember

Now, lets get the non-sequitur "correct horse battery staple"

Even though we have ewer types of characters, we have a higher entropy, in fact our entropy is now ~44bits, which would take at most 550 YEARS to guess at 1000 guesses/sec, so it's harder for a computer to brute force. Now what about memorization? Odd phrases seem to have a way of clinging to your mind, and I think you'll find this is much easier to remember

## Bookmarks