Hacker News new | past | comments | ask | show | jobs | submit login

NIST guidelines are for a minimum length of 8 characters and a maximum length of no fewer than 64 characters.

What is your basis for suggesting anything less than those guidelines is sufficient?



You should try plotting ease of recall vs the size of password. You will quickly realize there is a long tail beyond 16 characters.

You seem to think recalling passwords is a good idea--it's not. The desire to recall passwords leads to selecting very few passwords (if not just one) for many identities, which is very insecure.

We should be encouraging people to select passwords that they can't rememeber so that they are then encouraged to generate them with a tool (my favorite being KeePass).

"correct horse battery staple" doesn't fit in 16 characters, and has has much better recall than basically all similarly-secure passwords that do.

Longer passwords let you optimize passwords for ease of recall and security, rather than fitting in arbitrary requirements.

Even though that phrase password is 16 characters long, it has the same entropy as a 9-10 letter long alphanumeric random password (according to KeePass' generator). I agree that it's easier to recall, but it's half as secure as a properly random 16 character one.

I've used Debian's xkcdpass to generat 50 sets of 100 million passwords, then then checked for duplicates. The algorithm uses six words and a large dictionary, but otherwise resembles the xkcd original.

There were no duplicates in any of the 50 sets. (About a week's runtime on a fairly modest Intel processor.)

Given that 100m accounts is a fair fraction of the world's active computer users, that's a pretty good start.

(There are further reasons for finding passwords alone insufficient for security, but at least these are strong, and yet potentially memorable, passwords.)

Diceware will solve that problem of easy recall + secure password: http://world.std.com/%7Ereinhold/diceware.html

I consider it a good thing that I currently only know about 3-4 passwords and the rest are just unknown asterisks that get pasted in by my password manager.

Recalling passwords? That's so yester-year.

EDIT: Well, with the exception of your password manager one, if not using biometrics.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact