You are reading a single comment by @Eejit and its replies.
Click here to read the full conversation.
-
I'm pretty much pig-ignorant on this, but Bruce Shneier claims that the XKCD long password thing is no longer a good tactic: https://www.schneier.com/crypto-gram-1403.html#13
Eejit-
He's right. It's nowhere near as good as using some alternative method such as 2 factor auth or something truly random.
Picking anything based on you, (i.e. facts known about you, your favourite lyric, etc, even your language) is a bad idea.
But... presuming you have a line of gibberish, a longer line will always win. Length trumps complexity enough that if you make it reasonable long and only slightly complex, that's better than short and very complex.
It's only a matter of time though. Everything password based is crackable.
Velocio
Ever tried password cracking (I did, only last month when my accountants decided to start password protecting PDF payslips and I wanted to mock them)?
Length is the issue.
Even if someone told you their password was 50 chars long, figuring out how to make that from all dictionary words, names, place names, etc... just keeping to ASCII only... would take a long long time to crack.
My accounts used a short complex password, it took my GPU less than a day with no clue given, and less than an hour when I told it that it was only looking at 8 chars in length.
Long simple passwords FTW.
I started to use long passwords by simply prepending my old password with "my password is ". Though now I've gone full Catch-22 and have to repeat a loyalty oath every time I want to do something.