I advised my friend to use uppercase / lowercase / numbers / special-characters in her password to make it more secure. On hearing this my friends Bill and Andy errupted into a disputatious frenzy, arguing that password length is more important than the range of characters. I was shaken enough to try and find out if they were right. I opened up LibreOffice Calc and made the following graph:
The blue is for passwords just using the 26 lower case letters, and the red is for 67 alphanumerics. The idea is that the horizontal axis is the strength of the password, and the height of the column is the number of characters you need to achieve that strength. For example, say you want a password strength of 1 x 1012 variations, you can see that it requires a password length of about 8.5 charaters of lowercase, and 6.5 characters of alphanumeric.
So, assuming this graph and all the assumptions are correct, who is right? I concede that they are! But is that the whole story? What if you're using words? Then the whole thing changes. We need another graph. Bill, Andy?
[Update 2014-04-19 14:41]
XKCD has a good take on this, so four easy-to-remember random words.