I asked a friend of mine who sucks at passwords:
“If I asked you to make a password 8 or more characters with 3 types out of 4 (lowercase, uppercase, numbers, or symbols) would you use a password you already have for other sites?”
He said “yup” I asked “how long is that password?” he said “8 characters”
Let’s say his password was Dogs4ev!
Rather, if we just say “15 characters or longer”
lovedogsforever seems like something that person might come up with.
Looking at it from a simple brute force perspective: even with lowercase only and no numbers 70 bits or more entropy could be contained.
Looking at it from a dictionary perspective: 3 words from a dictionary of 4096 common words is 36 bits, plus plural-non-plural is around one bit for each word for nouns only, so 38 ish bits.
Meanwhile, 8 character password can only hold 48 bits max entropy even with 66 types of characters…
But in actuality, many people reuse passwords that are 8 characters around all websites, there are very few patterns using 1 dictionary word with numbers and capitalization ending with ! usually… these are probably less than 20 bits of guessing…
This can be best summed up by xkcd. “correct horse battery staple” is 28 long btw. 25 without spaces. Even if you made each word 4 letters 4 words with no spaces would be 16 characters long.
3 words would be 5 letters each without spaces.
Which is why I say 15 or longer… the only “rules” I might enforce are:
- not all numbers and spaces
- No sequences: 1234567890, abcdefg…, qwertyuiopasdfghjklzxcvbnm, whatever the azerty keyboard order is etc.
- No repeats longer than 3 characters. prevents “padding” (my pw is 15 zeroes!!! etc.)… 3 because many words use repeats of 2, and maybe there are some words with 3 same letters in some language… but 4 or more is just padding.