We propose a canonical measure of password's strength. We give formal definition of the "guessing attack", and the "attacker's strategy". The measure is based on the assessment of the efficiency of the best possible guessing attack. Unlike naive password strength assessments our measure takes into account the attacker's strategy. We argue strongly against widespread informal assumptions about "strong" and "weak" passwords, and advise to adopt formal metrics such as proposed one. This paper does NOT advise you to include at least three capital letters, seven underscores, and a number thirteen in your password. Full text of the paper is on arXiv available as PDF and TeX.