One would think that a strong password is one that contains special characters, numbers, uppercase and lowercase letters. This can be true, but it has been shown that all a password needs to be is long. Lets take a look at two passwords and compare their strength.
First, take a password that is considered strong. Microsoft gives “H3ll0 2 U!” as an example of a strong password on their “Tips for creating a strong password” page. They consider it strong because it uses uppercase letters, lowercase letters, numbers and symbols. However this is still a common phrase with common number-letter replacements. Password crackers that understand that people use common phrases and words with numbers replacing specific letters or shortening the words, will not be fooled by these tactics. This password is only 10 characters, which has about 20 quintillion (20 followed by 18 zeros) combinations including special characters. That sounds strong, doesn’t it?
Secondly, take a 5 word random sentence like “ILikeCheesyGoldfishCrackers”. This password is long, has upper and lowercase letters, is easy to remember and very difficult for a password cracker to guess. Just 5 words in English, of which there are more than a million, would produce over 1 nonillion combinations (thats a 1 with 30 zeros). If a cracker was guessing by the 27 characters in “ILikeCheesyGoldfishCrackers”, assuming just upper and lowercase letters, it would take up to quattuordecillion guesses. That’s a 1 with 45 zeros, so it becomes apparent that long passwords are in fact better passwords.