Eugene Panferov
On the premise that we are using passwords composed of multiple English words, we argue that using syntactically correct passphrases has no significant impact on the security in comparison to randomly arranged collections of words. We only analyze the contribution of the syntax itself. A comparison to the other kinds of passwords is out of the scope.
Eugene Panferov
We notice that the "password security" discourse is missing the most fundamental notion of the "password strength" -- it was never properly defined. We propose a canonical definition of the "password strength", based on the assessment of the efficiency of a set of possible guessing attack. Unlike naive password strength assessments our metric takes into account the attacker's strategy, and we demonstrate the necessity of that feature. This paper does NOT advise you to include "at least three capital letters", seven underscores, and a number thirteen in your password.