Applying Pavlovian Psychology to Password Management

Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."

Because eventually it will be

[tepples]

Yes, we're assuming that the hashed password file has a substantial probability of getting leaked, just as it was in several other high-profile breaches (Sony, Target, etc.). If it's impossible for an inside job to leak the password file, then how can the system 1. use the password file to authenticate users and 2. back up the password file in case of hardware failure?

Re:Grammar is overrated

[AmiMoJo]

The problem is that password crackers can now crack strings of words relatively easily. On page three of the article it even mentions that comic specifically as an example of what crackers can now break.

Two factor authentication is the solution. If you can't use that then a long, random password stored in a password safe app is the best bet. Anything you can remember is crackable.