Researchers at Microsoft and Ottawa's Carleton University set out to to take a cold hard look at passwords and here's what they found: the way we traditionally measure password strength is inconsistent—and often say nothing about how hard it might be to guess a password.
Here's an example: some systems force you to chose an eight-character password, using capital letters, numbers and at least one number. That sounds pretty secure, but it's not. The word P@ssw0rd fits these criteria and password cracking tools such as JohntheRipper or hashcat will guess it in minutes. That's because they use something called "mangling rules" which take dictionary words and substitute letters such as a for @ or s for $.