Want to learn more than you ever thought you needed to know about password theory? Check out the old Green Book from the DoD. Great stuff.
I find it useful to understand the "why’s" associated with password management. There are three major, sometimes competing, risks associated with passwords:
- Compromise of the password repository. Generally, this is more of a vulnerability management issue than it is an issue of passwords.
- Password guessing or brute forcing (interactive). There is lots of theory around this in the Green Book. Bottom line: the "weakness" of a password is a function of the password space, lifetime, and number of attempts allowed. With brute force, this is really all it is – straight math so you can evaluate the relative strength of your scheme. With password guessing, there is also a human element in trying to guess what passwords any particular person might have).
- Social engineering. This is gaining a password by methods other than system-related ones. This is the big reason that multi-factor authentication is valuable – to protect against the stolen password.