I am thinking of providing the following advice to users during password creation:<p>"Use a memorable phrase as a password with a mix of uppercase letter, numbers and special characters e.g.<p>Margaret Thatcher is 110% SEXY.<p>But please do not use too many repeated characters/numbers and avoid using personal identifiable information in the password such as username, email id, real name etc.
"<p>Is this advice sound? What else should be included? At the backend I am using zxcvbn to check password strength.<p>Motivation for this advice is:<p>1. xkcd: https://xkcd.com/936<p>2. The password mentioned in the title was, as an example, suggested by Edward Snowden on Last Week Tonight show: https://www.youtube.com/watch?v=yzGzB-yYKcc
I would argue against uppercase, special characters, and numbers. They don’t provide any more protection against a dictionary attack than throwing in a Spanish or French word in your phrase. “Margaret Thatcher es caliente” is easier to remember.<p>Bill Burr who invented the original password complexity rules now says forget those special characters and numbers. Simple long phrases that you can remember is more important. <a href="https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987" rel="nofollow">https://gizmodo.com/the-guy-who-invented-those-annoying-pass...</a>