Hi Kevin,

there's no standard... Password strength actually depends on a number of factors. For instance, when the requirement is that there must be lower case, upper case and digits, most people end up with a password that starts with an upper case character and has the digit at the end. Passwords that do not follow this pattern are often hard to remember. Therefore users will either write it down, or only use slight variations of the password when they need to change it. They also tend to use the same password in various places.

The idea behind a strong password is originally to prevent dictionary attacks. There are lists with hundred of thousands of common words available that tools can use to automate logon attempts. While this seems like a high number it is significantly lower than purely random passwords with the same length. They drastically reduce the number of attempts one needs in a trial and error attack. Hence, to defend against such attacks your system must meet two criteria:

- Passwords should not be in a dictionary
- Limited number of logon attempts

The second part is the more important part. Whether someone can try thousands of passwords each second, or only a dozen per hour makes quite a difference when trying to break in. You can achieve this by using incrementing pauses after each unsuccessful attempt. Make the user wait 1-2-4-8-16-32 seconds each time they entered a wrong password. Most users will get it right after a few attempts or call an administrator. Automated scripts will be stopped very quickly.

To avoid dictionary attacks a common approach to avoid hard to remember passwords are pass phrases. User enter a simple sentence like this one instead of a password. You can also combine two or three words which greatly increases security as well. A password such as "apple sun part" is easy to remember, but still a secure one (too long for brute force, no easy dictionary attack).