Incomprehensible passwords that include numbers, capital letters, and characters like the asterisk are great for security but can be maddening to remember. Special characters are also time consuming to type on mobile devices. But security specialists are promoting another type of password option that might be a little bit more to your liking – long and readable. They just can’t make sense.

It’s all about the math and the growing speed of computers. A short password using a limited character set can be broken in a matter of seconds simply because the number of possible outcomes is low. So too can virtually any word in any dictionary. And now rainbow tables, a kind of hacker dictionary, include every phrase in the bible, Wikipedia, the works of Project Gutenberg, and more. The password length isn’t the issue. On a purely mathematical basis running through every possible combination of long string of characters would still take years. But if we use meaningful phrases then we eliminate the vast majority of possible outcomes, making it easier to hack our passwords. So phrases that exist in literature, music, even scientific literature aren’t safe even if the phrase is long.

But long, readable strings that don’t belong together do work. And organizations are beginning to take notice of the possibilities.

Stanford University has adopted a new password policy that allows for short passwords that use an expanded character set, or a long password with a limited character set, but does not contain known word strings. As you can see in the graphic below, short strings are permitted but must contain upper and lower characters, numbers, and symbols. But a long password doesn’t have to contain any of those, it just can’t be a phrase that makes sense or contain words that are related, say 4 kinds of fruit. Get wacky and make up something on your own!

Stanford Password Policy Flow Chart