[WikiEN-l] Please change your passwords.

[Steve Summit]

Gregory Maxwell wrote:
> But what we should be telling people is:
> "Use the longest pass*phrase* you can easily type...
> Yes, "gWXi$a09" is strong too, but when you try to tell people to use
> passwords like that you get "10qpalz," which isn't strong.

Well, I'm not so sure either works.  I'm one of the more
security-conscious people I know, and I don't bother with strong
passwords (let alone passphrases) when I register at ordinary
websites -- the risk just isn't there.  If you tell me to pick
a strong password I'll just laugh at you.

And if you violently disagree with me here -- that's my point.
This may be an irresponsible attitude of mine, maybe I really
*should* be using strong passwords on every ordinary website I
register with, but: I bet I'm not alone.

If your security strategy depends on users picking a certain kind
of password, you'd better enforce it in software, because I doubt
you'll get enough voluntary compliance otherwise.