A lot of work does go into it, but the users will mostly ignore that work and continue using “[Dog’s name] + [Wife’s birthday]” as a password (and that’s if you’re lucky).
This is true, I do wonder what could be done to get around the fact that we really can’t handle remembering complex passwords (without using some memory aid that could be compromised).
Biometrics makes sense for worker/admin access, but I’m not sure about the merits of deploying it en masse to the users of a service.
Despite all the controversies surrounding that (in?)famous XKCD comic, I would still agree with Randall that passphrases (I’m guilty of using them) are okay if we make them long enough. And the memory aids that one might need for pass phrases are probably less easy to compromise (e.g.
I imagine it’s not too hard for an average human to handle a few pass phrases of 10 words each, so maybe bumping “allowed password length” from 16-30 characters to 100 would solve some problems for security-minded users.
Another tool I imagine might be good is allowing unicode characters in passwords, maybe mixing Chinese into passwords could let us have “memorable” high entropy passwords.
A lot of work does go into it, but the users will mostly ignore that work and continue using “[Dog’s name] + [Wife’s birthday]” as a password (and that’s if you’re lucky).
This is true, I do wonder what could be done to get around the fact that we really can’t handle remembering complex passwords (without using some memory aid that could be compromised).
Biometrics makes sense for worker/admin access, but I’m not sure about the merits of deploying it en masse to the users of a service.
Despite all the controversies surrounding that (in?)famous XKCD comic, I would still agree with Randall that passphrases (I’m guilty of using them) are okay if we make them long enough. And the memory aids that one might need for pass phrases are probably less easy to compromise (e.g.
I imagine it’s not too hard for an average human to handle a few pass phrases of 10 words each, so maybe bumping “allowed password length” from 16-30 characters to 100 would solve some problems for security-minded users.
Another tool I imagine might be good is allowing unicode characters in passwords, maybe mixing Chinese into passwords could let us have “memorable” high entropy passwords.