Gregory Maxwell wrote:
But what we should be telling people is:
"Use the longest pass*phrase* you can easily type...
Yes, "gWXi$a09" is strong too, but when you try to tell people to use
passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more
security-conscious people I know, and I don't bother with strong
passwords (let alone passphrases) when I register at ordinary
websites -- the risk just isn't there. If you tell me to pick
a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point.
This may be an irresponsible attitude of mine, maybe I really
*should* be using strong passwords on every ordinary website I
register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind
of password, you'd better enforce it in software, because I doubt
you'll get enough voluntary compliance otherwise.