On Wed, 6 Feb 2008, Andy Schmid wrote:

> On Feb 5, 2008 5:11 PM, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote:
>
>> Thanks, Dave.  Very interesting.  How about:  A random string is the
>> hardest password to guess.
>
>
> I disagree.  There is the chance (albeit very slim to none) that a 
> random string can produce a password such as '1234', which can be easily 
> cracked.

I thought about that too, but the thing is, if the wouldbe cracker knows 
that it is a random string (and he would know if that was the design of 
the system), there will be no benefit to his guessing first things like 
"1234," but if he knows that you have disallowed things like "1234", then 
you have helped him by cutting back on the number of things he must guess.

So when using random strings you would *not* want to have rules like "must 
include both upper case lower case letters, digits and non-alphanumeric 
characters," because that rule would help a brute-force attacker.

Mike