Instead of communicating password strength—specifically unpredictability—as ‘bits,’ let’s consider using slot machines as a metaphor. Bits of entropy are the traditional way of describing the randomness and variety, though it can be intimidating or too abstract for some users. It can also overlook that each ‘character’ in the equation is actually an entire word, since those are easier for users to remember. Slots are relatively simple machines which randomly rotate among variations of options and line up together like letters or words in a passphrase. So this metaphor may help users better understand the strength of their passwords.
Let’s imagine that slot players are thieves looking to steal the money in your bank account. Slot positions or wheels can be thought of as each character or word in your password or phrase. And the varieties of slot fruits represent the possible characters or words in your secret. Now if a player happens to line up each of them they’ll strike jackpot and get access to all your money. Preventing unwanted jackpots like that requires choosing passwords or phrases that are unpredictable. So we want a lot of different fruit (characters/words), as many slot positions as practical (as long as possible), and no pattern among the slot choices (no relationship between them). More is stronger.
It’s important to keep in mind that if we choose a password as a collection of words (not random characters) then our ‘fruit’ or dictionary cannot be counted as each character. In that case it must be counted as each whole word. Attackers know that people often use words because of frequent passwords leaks. So any pattern we choose should be considered public knowledge.
Now, to gauge how strong a password (jackpot) is we can multiply the number of possible words/characters (fruit) together repeatedly, one for each slot position. Consider that three words with two slots is 3 x 3 or 9 possible values. Put another way we take it to the exponent: 3 ^ 2 = 9. Guessing randomly the attacker/player would probably hit the jackpot in half as much, on average. So that password would typically require 9 / 2 or 4.5 guesses to get right. That’s really weak.
Expressing that as attempts gets out of hand quickly since at 1000 words/characters with 3 slots we’ve got 1,000 ^ 3 or 1,000,000,000 which is one billion. A dictionary or fruit basket of 10K with 5 slots would be 100,000,000,000,000,000,000 or one hundred quintillion, on average guessed in fifty quintillion attempts. If these numbers are too unwieldy we could use the ‘bits’ method to make these numbers easier to read and reason about. Then our 10,000-5-slot password would be log base 2 of 100 quintillion or about 66.4 bits. Still it would be important to remember to take care when filling in the ‘fruit’ or dictionary number to avoid counting characters when we’re actually using words.
Each of the password requirements (many kinds of ‘fruit’, multiple slot positions, unrelated ‘fruit’ choices) is important, and that makes strong password/phrase choices hard to remember. Typically we also have many accounts with a variety of website and services. Ideally each account should use a different, unrelated password than all the others. For this reason a password manager makes life more practical. Properly designed they can encrypt all the random passwords or phrases with one, strong-yet-memorable password. If you aren’t using one please try making it a part of your daily routine for a month. It could save you a lot of time and headache by avoiding the loss of your accounts or funds.