Strong Passwords Not As Good As You Think

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

I'll repeat what I've said before: Use sentences.

[kinabrew]

I advise people to use unusual sentences as passwords.

For example, look at the previous sentence.

I advise people to use unusual sentences as passwords.

It contains uppercase letters, lowercase letters, spaces and punctuation.

It's easy to remember, and hard to guess, so users are unlikely to forget it/write it down.

And even if you did write down your sentence/password near your computer, people might not even guess that it was your password.

Re:limited application

[MrMr]

In particular many *NIX environments
I have used passwords with spaces since the 1990's on AIX,IRIX,HPUX, Solaris and Linux and have only seen that happen on poorly written sql code (deliberatily put there by some ignorant web-developer).
Which environment would that be?