Originally Posted by Damn_Its_Hot
I tend to doubt that the example you give is better -- assuming your definition of better is 'more secure'. The first can be hacked with a dictionary attack whereas the second is totally random an uses a mix of lowercase alpha, numbers and punctuation. By simple reasoning alone your 14 char passwords are made up of a common simple phrase consisting of 3 words (one being the most common password used) whereas the other could be stronger and contain as many english language pairs I would consider it stronger. Care to share your source?
http://xkcd.com/936/ -- For the quick explaination. Bottom line, I agree with the over all idea. But, not exactly how the comic presents it.
When a website enforces complex passwords, but sets the minimum length to 8 characters -- that's all the user will create an 8 character password. Now, don't get me wrong a complex 8 character password is, eh, secure enough. The problem for the average user, though, will be the password paradox. They will have a hard time remembering complex passwords, so what does that person do? They use the same exact complex password for -everything- which, of course, is terrible. Therefore, the argument is that minimum length should be set much higher, as high as say 25+ characters, but complexity not enforced. The user would then be free to make a more memorable password.
Ergo -- since "mynameisjoeblowandiamawesome" is much easier to remember then "(yZ0gN,C" users would create unique passwords more often.
From a brute force perspective longer non-complex passwords have greater entropy then shorter more complex passwords and, as such, would take a lot longer to "guess". Which would be fine if dictionary attacks didn't exist. Combining non-capitalized letters together wouldn't be difficult.
Now, if I didn't know that users would just capitalize the only the first letter and put a "1" at the end of their password I would suggest that some complexity be required. Instead, what I would like to see is that users combine mnemonics with their passwords.
Ergo -- "mynameisjoeblowaiaa" where "aiaa" = "and i am awesome" or something like this.