Passwords are bad
You know those sites that enforce bad passwords? Your password must include upper and lower case characters and symbols?
They think they are enforcing good password practice, but they fail on two counts.
Firstly, if someone can’t remember their password, because it is somethig like H7Yh2&4%£b, then they are going to have to write it down or store it in a plain text file, and then your security is broken. People are still going to use bad passwords like Charlie123% .
Secondly it can easily be shown that a password that you might think was very secure, like H7Yh2&4%£b, can easily be cracked using brute force. ie. simply trying all combinations of characters using fast computers.
Passphrases are good
We should forget using passwords and start using passphrases.
“What is a passphrase?”, I hear you ask. A passphrase is a combination of words that is much easier to remember than a random collection of characters. It is also much harder to crack using brute force. Brute force algorithms break down at around 8 characters but your passphrase is much more difficult.
A passphrase can be a collection of random words, such as “HorseBeetrootCautionWorks” or “FamousLouseCombPatty”, that’s a lot easier to remember than “H7Yh2&4%£b”. You can jazz it up a bit, and make it more likely to pass those password validations that enforce bad passwords. So replace the os with zeros, and the es with threes, and you have “H0rs3B33tr00tCauti0nW0rks”.
What really dismays me is when creating a new password I am told something like “error: Your password is more than 8 characters”! This is forcing you to use an insecure password.