Over in a fenland blog, there is a little discussion going on about passwords. Evidently, Google has been doing some advertising about what makes a good password, and this has come in for some criticism.
In that blog post, Joseph Bonneau proposes an alternative one-liner:
A really strong password is one that nobody else has ever used.
(One of the commentors (J. Carlio) suggests modifications to add something about memorability. )
This is a seductive idea: it is, broadly, true. It encapsulates the idea that you are trying to defeat brute force attacks, and that these generally succeed by attempting plausible passwords.
But I don’t think it’s good advice. That is mainly because many people are poor with estimates that surround very large numbers: whether the likelihood of my password being used by someone else is one in a thousand, one in a million, one in a trillion (the word of the week, thanks to national debts) is something that, I would say, few people have a good intuition about. In just the same way, people are poor at risk assessment for unlikely events.