We notice that the “password security” discourse is missing a fundamental notion of the “password strength”.
We propose a canonical measure of password’s strength. We give formal definition of the “guessing attack”, and
the “attacker’s strategy”. The measure is based on the assessment of the efficiency of the best possible guessing
attack. Unlike naive password strength assessments our measure takes into account the attacker’s strategy. We
argue strongly against widespread informal assumptions about “strong” and “weak” passwords, and advise to
adopt formal metrics such as proposed one. This paper does NOT advise you to include “at least three capital
letters”, seven underscores, and a number thirteen in your password.

Full text of the paper is on arXiv: http://arxiv.org/abs/1505.05090
available as PDF and TeX.