
Password Security: Why the XKCD horse battery staple password is not correct - sharjeelsayed
https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/
======
badrabbit
This post makes a lot of assumptions.

This is a hard one because I agree with most of OP's points but, teaching
people to use a password manager is not easy,and even then , password managers
on mobile devices make for a bad experience. Like it or not, people will need
to memorize passwords and they will reuse password across applications and
site.That's something security engineers must accept as a reality.

The solution is:

1) Don't use password authentication on your site(at all) 2) Use 2FA even if
you must use passwords.

No one will argue that a passphrase is better than a randomly generated
password if you use a password manager. But if you must remember the passwors
then a passphrase is better.

------
Gibbon1
> As a longer term strategy, we are moving to kill the use of passwords as the
> single authentication mechanism, and enforcing multi-factor authentication
> as the default everywhere.

My thought on this is replace 'password manager' with input 'authentication
device' and that needs to sit between the computer and the input device (touch
screen, keypad, key board, mouse). Meaning the users password shouldn't be
authenticated by the remote server or the users computer, instead by a
hardened device that also authenticates the users input.

