

Why you don't need long, complex passwords - cpeterso
http://www.infoworld.com/d/security/why-you-dont-need-long-complex-passwords-249530

======
lstamour
Was it just me, or at least on the first page, there wasn't much here of
substance? Felt very click-baity.

The grain of truth is that of course, complexity requirements can be outdated
advice given social engineering (particularly password reset) and password
reuse. But I would draw a line at not caring how passwords are stored. And
ultimately, attackers go for the weakest link they can perceive. The first
company to suggest that, like libraries, PIN numbers with default values are
good enough, will be the first to have random, brute force attacks against
them succeed. Unless you change the game entirely, such as by requiring two-
factor authentication, a random password is still required to protect from
unauthorized account access and I don't see that advice changing anytime soon.
It's even easier now that such random characters can be generated by apps and
browsers. Of course, such password stores might in turn be the next targets,
but malware has yet to make a large dent in iOS, as far as I can tell. Let's
hope we're a long way off from fake cell towers...

------
kazinator
One slight problem with the article is that its author thinks that
"Tr0ub4dor83" and its ilk is a long and complex password. It isn't; rather,
"correct horse battery staple" is the start of a long and complex password.

XKCD 936 and all that.

Systems should stop requiring users to enter passwords that have "at least one
digit, both upper and lower case, and at least one symbol". Or, at least, that
should only be imposed on passwords that are are short, like less than 30
characters. The limits on password length should be very generous: into the
hundreds of characters.

