Applying Pavlovian Psychology to Password Management

Ars Technica reports on an interesting and sensible-sounding approach to password policy that I'd like to see adopted just about everywhere I have a password (which, these days, is quite a few). An excerpt: "For instance, a user who picks "test123@#" might be required to change the password in three days under the system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. The three-day limit is based on calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months."

ObXKCD: Passphrases

[tepples]

From the article: "Passcodes that have a length of 20 or more can contain any character type an end user wants, including all lower case letters." And sites like Phil's Hobby Shop have lowered "complexity" requirements for sufficiently long passwords. I'm glad the passphrase concept is catching on. To what extent can xkcd be credited with awareness of passphrases?

Re:Grammar is overrated

[Mashiki]

As illustrated in the comic, your mind can end up constructing a "story" around whatever four words your Diceware spits out. So long as you can remember the story, it doesn't need to be grammatical.

Bingo. Funny enough, I just finished doing a security job out in western canada(provincial government office) and moved them to passphrases. Funny how the number of "passes written on post-it-notes" dropped from "everywhere" to nowhere except the firebox safe. The safe of course is in it's own room, and requires two keys to open besides the combination. This of course also cut down on the intrusions into the network, because people simply "walking in" couldn't glean passwords that were posted in the open anymore.