...
While this topic is not specifically within the scope of this cookbook, it plays a big role in brute force and dictionary attacks against your credential store. NIST SP 800-63 Appendix A contains a lengthy discussion of Claude Shannon's notion of information entropy and complexity as it applies to passwords. We'll leave that discussion to that document. Here, we'll say that there are any number of ways to reach the required 1:16384 chance of guessing a password during its active life, and 10 the 14 bits of min-entropy entropy, against a targeted guessing attack, that are required by the Silver IAP. You can have longer, complex passwords that are active for a longer time, shorter, less complex passwords that are active for a shorter time, with more or less aggressive account lockout policies, etc. SP 800-63, the IAP document and an entropy calculation spreadsheet, such as http://www.infoworld.com/sites/all/themes/ifw/downloads/passwordcalc096.zip are good reference documents.
...