[Lagged2Death]

I'm surprised to see that "correct horse battery staple" type pass-phrases really have to be quite long to score well, but that even comically short email addresses ("dlk3@mit.edu") score very highly. In fact, it looks like my ever-so-clever words-and-numbers web passwords ("Happy314Day") are all terrible, but all my email addresses all make maximum strength 4-point passwords.

I wonder if that's because email addresses are really hard to crack or if it's because the rules of this scoring system weren't designed to account for such a practice. Not a practice of using your real email address as a password, but the practice of using a fictional email address as a password.

[tomp]

In general, email addresses should make quite good passwords (two.words@domain.tld). However, limiting yourself to yourname.yoursurname@yahoo/google.com reduces the entropy a lot.

Also, the idea of passwords are easy-to-remember&hard-to-guess. The only emails easy to remember are the one's you're using currently, which shouldn't be to hard for an attacker to figure out (in general).

[rplnt]

What about:

simplepassword@domainimregistering.on

Easy to remember yet hard to guess. (Unless you read this comment)

[dullcrisp]

"dropbox.com" is ranked Good and "http://www.dropbox.com is ranked Great. I found this amusing, but as it says in the article, there are very many common patterns which it doesn't check and so overestimates the entropy of passwords using those patterns.

[lowe]

zxcvbn gives high entropy for emails because it isn't matching against them currently. if there's good evidence that people commonly use emails as passwords (and crackers try emails as guesses!) it'd be a great pattern to add.