In an effort to make passwords more resistant to guessing attacks, system administrators provide users with suggestions and/or requirements for the passwords they create. This guidance may include password-composition requirements, such as requiring the password to have a minimum length and include both letters and numbers. Other common strategies include using a meter to suggest or enforce composition rules, forbidding use of dictionary words, and forbidding common passwords. Many of these strategies were developed based on folk wisdom and educated guesses; until recently, most had not been empirically evaluated .
Download Full PDF Version (Non-Commercial Use)