On password security

It is commonly thought that secure passwords must have a minimum length, should contain odd characters, a mix of numbers and letters, be not dictionary words, and so-forth. And I suppose all of that is mostly valid: if your password is “cat” you’ll likely fall to a dictionary attack fairly quickly.

However a secure password doesn’t need to be all of these things and password systems that require them all really annoy me.

My chosen format for passwords is the sentence. I like long sentences that won’t fall to dictionary attacks and will take forever to brute force. For instance, I might use: “Thatsjustpeanutestospace”. It’s long, easy to remember and no, it’s not my actual password for anywhere.

So it’s annoying to come up with a 33-character password just to be told:

Sadly, “password1″ passes that challenge unhindered.