A Canonical Password Strength Measure

We notice that the "password security" discourse is missing a fundamental notion of the "password strength". We propose a canonical measure of password's strength. We give formal definition of the "guessing attack", and the "attacker's strategy". The measure is based on the assessment of the efficiency of the best possible guessing attack. Unlike naive password strength assessments our measure takes into account the attacker's strategy. We argue strongly against widespread informal assumptions about "strong" and "weak" passwords, and advise to adopt formal metrics such as proposed one. This paper does NOT advise you to include "at least three capital letters", seven underscores, and a number thirteen in your password.