

Bad passwords are not fun and good entropy is always important - troyhunt
http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html

======
pwg
Best quote from the article: "There’s a very good reason why systems define
minimum password criteria and there’s also a very easy way to comply – and
exceed – using a decent password manager. In fact once you let go of the
mindset that you need to remember all your passwords, everything gets
extremely liberating. Sure, you’ll still need to memorise a few (your PC
logon, for example), but it’s a rare exception."

Using Password Gorilla ( <https://github.com/zdia/gorilla/wiki> ) provides
just that "liberating" experience of which the author speaks. Suddenly, having
98 different, totally random, high entropy passwords, unique per website
login, is no big deal.

------
FilterJoe
Troy's detailed rebuttal of Thomas Baekdal's "this is fun" password post
(<http://news.ycombinator.com/item?id=2450972>) goes through the faulty
assumptions one by one and is spot on. As Troy points out, the most glaring
omission in Baekdal's post is how password reuse is so terrible for security -
and therefore how Baedal's scheme breaks down for more than a few dozen
accounts.

Troy's solution (and mine) is to use a good password manager. Each account has
it's own, long, randomly generated password which is different from all others
- and you only need to remember one password - the master password guarding
them all.

However, I think the central point in Baekdal's article could have been
reasonably made had he not started with faulty assumptions (and had he made it
clear that the intended audience was end users):

If passwords are truly randomly generated, then it is actually true that
(lowercase character) length trumps complexity. A standard PC that is forced
to check all combinations of a password (because it's randomly generated and
not in a dictionary) is going to take the following times to crack a password:

15 minutes: 7 lowercase characters 79 days: 7 lower/upper/numeric/special 5
million years: 15 lowercase characters

One thing I think is critical to mainstream users adopting good password
management is that it has to be really easy and convenient. So here is why
pure lowercase passwords are more convenient:

Many users enter passwords into cell phones these days, and at the moment,
most password management software doesn't automatically do this for you. Or -
you may need to manually enter your password on a friends computer when
checking your email. Entering really long lower/upper/numeric/special
passwords are painful to begin with, but much worse on cell phones, even ones
with good keyboards like Blackberries as you have to keep switching modes.
Entering a 15 character lowercase jumble, on the other hand, is not such a big
deal on a Blackberry or with and Android or iPhone keyboard.

And why do I keep talking about 15 characters as opposed to 14 or 17? Because
some systems (most notoriously older versions of Windows NT) break passwords
that are 14 characters or less into a two halves, which can then be easily
discovered on captured password lists with rainbow table software. I am
unaware of any rainbow table software purported to be able to do anything with
15 character random jumbles.

I don't mean to take away from Troy's main point, though. Clearly Baekdal had
not taken the time and effort required to make sure all of his assumptions
were correct. The result was that his main point (in which there is a small
kernal of truth - that length is by far the most important of the entropy
variables) is not well supported in his article.

