If anyone ever says to you, “your password must contain one capital, a digit,…”, you can be certain that they are an idiot, and that they do not understand security. If you encounter such requirements in software, then it was written by an idiot—or it was written to a standard which was written by an idiot.

I’m serious. This is not hyperbole. Anyone who says such things truly has not even the most basic understanding of computer security. You should immediately stop trusting them with anything related to computer security.

To begin to understand why this is true, please enjoy this wonderfully explanatory cartoon from XKCD: Password Strength.

The cartoon is fun, but its core point about the critical feature of your passwords being the amount of entropy they contain will make you smarter than the vast majority of people.

ɕ