Consider using diceware instead of 0-9a-zA-Z., for passwords

[mrjones-plip]

Right now we use we choose 9 characters from these 64 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789., characters to generate passwords for new users. While decently secure at 18.01 quadrillion (18,014,398,509,482,000) combinations and 54 bits of entropy, these are hard to type and even more likely to be impossible to remember.

Instead, we might consider implementing diceware for password generation. A 4 word passphrase would have similar strength at 3.65 quadrillion (3,656,158,440,062,976) combinations and 51.70 bits of entropy, but be much easier to type and to remember.

Examples

Here's a comparison of 3 passwords from the current system, and 4 from a possible future system, assuming we addopted Swahili:

9 Random Characters	4 Random Words
IoVz,gQFr	tekeleza-baraza-fuata-zuia
Ww98ieBs1	usalama-kwa-ambayo-hizi
hF.p8Ka6W	ingi-timu-maendeleo-sana

Maths used:

R = number of possible characters/words
L = number of chosen characters/words
^ = exponential
7666 = R for diceware (possible words)
64 = R for current (possible characters)
Possible combinations = R^L (in a spreadsheet: =POWER(A3,B3))
Entropy = log2(R^L) (in a spreadsheet: =LOG(POWER(A3,B3),2))

Sources: PassBits, Wikipedia, diceware