Originally Posted By: Denis
I guess my question is what the necessity for mixed case, numbers & letters, and special characters really is.

For example, to a password cracking program, is correcthorsebatterystaple (the example from the xkcd comic) any more or less hard to guess than any other 25 character long string? A cracking program wouldn't know not to check for mixed case, etc, would it?

My understanding of this approach to using long, but easy to remember, passwords (I've had other IT professionals recommend it as well) is that the length alone is what makes password cracking unlikely due to the sheer length of time needed to find the right combination of characters.


With respect to XKCD (a highly admired source of information as well as humor) it's not just the keyspace that matters. A dictionary attack against a wireless key of that form would succeed within a day at the most on my work laptop. Add in numerals and special characters and you have to stop using a dictionary attack and work a brute force attack, which at that length of key would take an infeasibly long time to complete.