The vast majority of security leaks are from people writing their passwords down
Yeah, and when you limit passwords to 8 characters, people feel compelled
to include upper and lowercase characters, numbers, and punctuation,
resulting in passwords that are impossible to remember,
so they write them down. A longer password made out of three or
four words is A) harder to brute-force if someone should happen
to try and B) substantially easier to remember.
The traditional reason to limit passwords to 8 characters was because
with primitive hashing algorithms used in the 1940s (partly due to the
limits of what processors could handle at the time) only the first few
characters were significant anyway, so a longer password would provide
a false sense of security. In modern times, longer passwords should
be allowed if the password hashing algorithm can handle them.
Sanity? Oh, yeah, I've got all kinds of sanity. In fact, I've developed whole new kinds of sanity. Why, I've got so much sanity it's driving me crazy.
| [reply] |
Hear! Hear! Using a 24-character passphrase that is all lower-case letters and spaces is still more secure than and eight-character monstrosity, mainly for the reason that it's easier to remember (and probably easier to type).
Furthermore, long passphrases are known to be workarounds for known vulnerabilities in security systems. Passphrases 20 characters or longer are significantly harder to crack in WPA-PSK. Passphrases longer than 14 characters have no LANMAN has in Windows (MUCH MUCH harder to crack).
Enforcing a larger minimum length is more important than making stern complexity requirements.
Simple proof: You care how long your encryption keys are, not how complex they are.
--J
| [reply] |