lauriejennifer said:
Not to beat a dead horse or anything (or resurrect one), but I saw this a few weeks ago on xkcd and immediately thought about this thread and smirked. The mouse over text is really the kicker:
Mouse-over text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."
Heh.
OK, LJ, I'm going to call shenanigans on this one. You saw it a few weeks ago and immediately thought about this thread? And then waited a few weeks to post it? Right.
Trust me, as someone whose site has been hacked and utterly destroyed because someone used a six character, all lower case password based on real words, I can say I probably do understand information theory a little bit. Especially when psychology trumps information theory, and explains that people are lazy and will only do the absolute minimum unless forced to do otherwise.
Do you know why this site was hacked? Let me break it down for you like a fraction:
1. Another site was hacked.
2. Their user database was stolen.
3. A de-hashing program was applied to the user database. Everyone with a short, simple, dictionary based password was cracked very quickly. Anyone else's password was just a matter of time.
4. Someone with admin rights over here recycled an easily de-hashed password.
5. Bad things happened.
What you and the xkcd crew are arguing via this cartoon is that a 20+ character dictionary based password is safer than a 7 character "strong" password. That MAY be true in theory, but in practice, de-hashing programs run dictionary words first, and that is why simple passwords are broken faster than complex ones. A 10 character "strong" password will resist de-hashing longer than a 10 character dictionary word password.
Furthermore, what you are inferring is that people would complain about the requirements less if I required a 20 character password instead of 7 characters with one cap. I don't think I need to mentally explore the outcry that would happen if I did something like that....
The password requirements for this site are marginally higher than a lot of other forums, but less stringent than any work computer I've ever used, and MUCH less stringent than most financial institutions I've encountered.
You want it easy? Guess what, your user name is probably more than 7 characters long, just use that and capitalize the first letter. Otherwise, take some responsibility for your passwords, make them long, make them strong, and don't recycle them. I'd recommend a password manager that you can sync with Dropbox as a solution.