This attitude is the real problem. I don't mean you specifically, but generally across the web and beyond. Users are too stupid to remember more than one long word, so we'll have to force them into using mixed case and puntuation to achieve security!Well ... yes and no. It's true that it's often done but it's not what Cracklib enforces. And yes, it's stupid---but something rather different from preventing stupid users from using "joe" as a password.
Yet every password guide or ruleset I've every read on a website goes with some variation on the 6-8 characters with at least 1 digit and 1 punctuation and "Don't share passwords between sites". We've programmed people into the very habits that lead to all the problems we are now having.
Also mostly true. I blame it on people (except for Phil Zimmermann and Randall Munroe) not actually thinking about what they're doing when writing such guides but always passing on "common knowledge" from a time when system passwords were limited to 8 characters.
However, having several passwords makes complete sense. Every day tens of thousands of passwords get snatched by trojans, and often (had it happen so several friends of mine) it's because people entered them on notoriously dodgy internet café machines. Now if I can't avoid entering say my freemailer passphrase on a potentially infected machine (I'm paranoid enough to have a Knoppix USB stick on my keyring to avoid having to but I wouldn't ask that of everyone) I'd hate the Nigerians to get the passphrase to my PGP keys and work computers as well. So I just have a handful of different passwords that I use depending on how secure I think their respective site is, and the higher security ones just don't get entered anywhere I can't be reasonably sure the system isn't safe.
In reply to Re^10: Password strength calculation
by mbethke
in thread Password strength calculation
by cavac
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |