Gregory Maxwell wrote:
But what we should be telling people is: "Use the longest pass*phrase* you can easily type... Yes, "gWXi$a09" is strong too, but when you try to tell people to use passwords like that you get "10qpalz," which isn't strong.
Well, I'm not so sure either works. I'm one of the more security-conscious people I know, and I don't bother with strong passwords (let alone passphrases) when I register at ordinary websites -- the risk just isn't there. If you tell me to pick a strong password I'll just laugh at you.
And if you violently disagree with me here -- that's my point. This may be an irresponsible attitude of mine, maybe I really *should* be using strong passwords on every ordinary website I register with, but: I bet I'm not alone.
If your security strategy depends on users picking a certain kind of password, you'd better enforce it in software, because I doubt you'll get enough voluntary compliance otherwise.