A quick follow-up on .IsValidPassword: The highest entropy of a password that would be accepted by .IsValidPassword(strong) can be calculated like this:

```8 characters:
1 upper - 26 characters
1 lower - 26 characters
1 numeric - 10 characters
1 special - 7 characters
4 remaining - 26+26+10+7+1(space) = 70 characters

log2(26+26+10+7)*4+log2(26)*2+log2(10)+log2(7) ~~ 40 bits of entropy```

If the requirement was simply 8 characters, the entropy could be

`log2(70)*8 ~~ 49 bits of entropy`

Entropy is used to calculate how long it would take to crack a password, provided it wasn’t an already know password:

`Number of guesses = 2^(entropy - 1)`

If we can make 1,500 guesses per second, divide by (1500 * 86400) (86400 is the number of seconds per day):

```40 bits of entropy ~ 4,000 days
49 bits of entropy ~ 2.1 million days```

What about words? Using words doesn’t necessary increase entropy, as words are part of a finite dictionary. The complete dictionary is somewhere between 100,000 and 200,000 but most people only use 3,000 words.

```log2(3000)*4 ~~ 46 bits of entropy ~ 271,000 days
log2(3000)*5 ~~ 58 bits of entropy ~ 1.1 billion days```

Using 4 words from your own dictionary would give a stronger password than what .IsValidPassword(strong) accepts, even if those 4 words would not get accepted by that method.