Password Security: Why the Horse Battery Staple Is Not Correct

First time accepted submitter Dadoo writes By now, everyone who reads Slashdot regularly has seen the XKCD comic discussing how to choose a more secure password, but at least one security researcher rejects that theory, asserting that password managers are the most important technology people can use to keep their accounts safe. He says, "In this post, I'm going to make the following arguments: 1) Choosing a password should be something you do very infrequently. 2) Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks. 3) When you do have to choose a password, one of the most important selection criteria should be how many other people have also chosen that same password. 4) One of the most impactful things that we can do as a security community is to change password strength meters and disallow the use of common passwords."

XKCD is correct

[Archangel+Michael]

Entropy is key to a good Password. Increasing the password length is one of the easiest ways to increase entropy in a password. Very few people can remember a password like "Xl5xX8lB4XI5" which would take a single computer about 25 thousand years*

However, using long words "alligatorterrorizesnewyorkcity" would take 22 septillion years*

* according to https://howsecureismypassword....

That being said, I also agree that generating new passwords should be done with a Password Manager, however the first password is always the hardest. Which is why three long seemingly random words is much easier and safer, IMHO.

Re:Oh great

[rnturn]

``We're being awfully slow about teaching people to adopt passphrases''

Maybe because there's so many websites out there that still limit your password/passphrase to a fairly short maximum number of characters. If I wanted to use something like `correcthorsebatterystaple' I'm usually not allowed to. Especially when using commercial sites, you are, all too often, limited you to a short -- and often numeric-only -- password (PIN, actually).

Use a password manager

[KozmoStevnNaut]

I've used Keepass for a long time, but I recently moved to Lastpass because getting Keepass to sync reliably is a major hassle, plus Lastpass works really well on Android, even for apps. I have a strong master password, which is easy to change regularly because I only have to remember that one password. I also have 2-factor authentication enabled through Google Authenticator. Every other password is randomly generated, I don't even know them.

Re:Oh great

In theory it is, but in practice "Love is beautiful, like birds that sing." is more likely to show up in a dictionary attack than a random string of gibberish. Just because it's nearly impossible to brute force doesn't mean it's necessarily a good password. Popular pharses, lyrics, Bible verses, etc can be substituted in a guessing algorithm just like using "$" instead of "S". Here's an interesting article about some of that:
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Re:What's the UTF-8 encoding of THAT?

[Guy+Harris]

If by "that" you mean "a fecal sample", the Unicode encoding is U+1F4A9.

Re: symbols, caps, numbers

[geminidomino]

It gets hashed down to 28-64 characters and written into the database?

Re: Oh great

[David+Jao]

A quantum computer can brute force a password quadratically faster than a classical computer. This speedup is much slower than the exponential speedup that a quantum computer enjoys against RSA. Long passphrases are still very secure against quantum attacks.