

The case for simple passwords - return0
http://glassbalcony.tumblr.com/post/88793017790/the-case-for-simple-passwords

======
krapp
>Why do we keep enforcing non-memorable passwords, instead of complex but
memorable words?

Because most users' idea of "complex but memorable" is their mothers' maiden
name or their favorite album or the city they were born in, maybe with some of
the letters replaced with numbers or "123" at the end. Most of us have seen
the "correct horse battery staple" XKCD[0] which suggests that a simple
passphrase is stronger than a complex password. But how well do you trust
yourself to remember a hundred different passphrases as opposed to a hundred
different passwords? You won't... you'll probably just end up using something
short and easy to remember and sharing the same few key phrases among multiple
accounts and then you're basically where you started.

> I also wonder if brute force attacks can’t be effectively limited by
> imposing a rate limit on login attempts or requiring an email verification
> every once in a while

Which is fine, unless the password reset questions are guessable, or your
email is vulnerable, or thanks to a SQL injection issue the site's entire
database has been dumped onto Pastebin. Bruteforcing the site and bruteforcing
the hashes are two different issues. That said, I don't know the math well
enough to know for certain which solution (password vs passphrase) is really
the better one.

[0] [http://xkcd.com/936/](http://xkcd.com/936/)

------
edoceo
Yea, some sites don't allow space. Or some disallow other special characters
while blocking others. Or limit to 16 characters (outlook.com)

