[MP-Ryan]

http://www.popehat.com/2013/09/08/size-matters/

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

This subject has been mentioned before on HLP, but the above two links are excellent examples of why people should use long pass phrases that are easy to remember instead of short passwords that are not.

[Scourge of Ages]

https://xkcd.com/936/

[Luis Dias]

Nice. have to update a lot of my passwords I guess.

[perihelion]

Yup.  Now, don't you wish that passwords longer than 8-10 characters were allowed on most of the places where you need them?  About the only place where I have been able to implement a pass-phrase is on my home wi-fi.  Granted that's an important one, but how about my bank?  My log-in at work?  My log-in to SAP?  My log-in to the engineering server?

Argh argh argh...

[Mongoose]

I was able to use a longer phrase for a few online retailers like Amazon, but yeah, a lot of password forms out there only go up to 10 characters, which defeats the whole purpose.

[Klaustrophobia]

my bank password is required to be exactly 6 alphanumeric.  i don't even get all that worried about password security, and that made me cringe. 

work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.

[BloodEagle]

my bank password is required to be exactly 6 alphanumeric.  i don't even get all that worried about password security, and that made me cringe. 

work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.

Hey, um.... Which bank do you use?

[MP-Ryan]

Funny you guys mention that.  I haven't managed to hit a limit on Google's services, but the Microsoft Account for this tablet I'm testing at work is max 16 character password and enforces stupid rules

[deathfun]

"Your password requires at least one number, an upper case letter, your mother's maiden name, a sacrificial goat, dancing around a fire and cutting out your heart to burn it in the hellfire pit in the middle of the temple to appease the password gods"

[niffiwan]

Banks are interesting.  All I've encountered have quite weak password requirements & they don't ever force you to change your password (although some think changing passwords regularly isn't that important anyway).  They do seem to like 2 factor authentication though, like sending a confirmation SMS to your phone.  While I think that part of this is them just writing off a certain amount of fraud, I think it also shows what's actually cost-effective at preventing fraud.  i.e. if someone enters their password into a keystroke logger, it doesn't matter how strong said password is, and that event is more likely that someone brute force guessing your password.

Personally, I use a password management program (like KeePass) with a long master passphrase to open the file, and I use 16+ random character passwords for any sites that allow it, because once I'm using a password management program there's no reason not to make them as complicated as possible.  I think that having non-trivial separate passwords for every site I use is very important, and worth the risk of having all my passwords in a file that potentially could be stolen & unencrypted.  And there is no way on earth that I can memorise all the passwords that I need, especially for sites that I only need to login to occasionally.

[Kobrar44]

I only use 20-character randomly generated password for my bank account, which is always empty anyways. Everything else has one of 3 passwords I used in the past. I had to change password on my google account since some chineese tried to hack it. Luckily google has some more safeties and only NSA knows everything.

[BloodEagle]

I had to change password on my google account since some chineese tried to hack it.

Query: How do you know they were Chinese and how do you know that there was more than one person involved in the attempt?

[Spoon]

I had to change password on my google account since some chineese tried to hack it. Luckily google has some more safeties and only NSA knows everything.

Same here.
Now my password is like three times as long. (Takes so much longer to log in now)

[Phantom Hoover]

best password i ever used was ultraneocontraantidisestablishmentarianism

[Kobrar44]

I had to change password on my google account since some chineese tried to hack it.

Query: How do you know they were Chinese and how do you know that there was more than one person involved in the attempt?

Google tells you the location so at least the server was chineese. How many people were involved I don't care.

[Dark RevenantX]

I just use true random passwords of length 12-16 for everything, aside from a master password holding my vault locked under a very long passphrase.

[Androgeos Exeunt]

Good reads. I now feel tempted to change some of my passwords.

Microsoft has a guide on password creation that seems to echo what is being stated in the articles.

[Klaustrophobia]

my bank password is required to be exactly 6 alphanumeric.  i don't even get all that worried about password security, and that made me cringe. 

work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.

Hey, um.... Which bank do you use?

hopefully one that will NEVER leak its password lists. 

oddly enough, however, right after posting that i logged on and was greeted with a message saying they are going to be changing the password system soon.  hopefully that means changed rules and not just a new logon page.

[rev_posix]

Two-factor authentication FTW.

I turn it on with every system I can.  Twitter will send the one time use passcode via SMS, my bank uses a program called VIP Access from Symantec (formerly done by verisign), then there is the Google Authenticator.  Every login system should include this functionality IMO.

[Klaustrophobia]

google will never, ever, EVER get my real name or phone number.  they wouldn't even have my email address if they hadn't bought out youtube and inherited it.