on the usability of passphrases

Ok, finally had a moment to fully read the articlepassword usability and digest. My first thot is, there are some places this logic should not apply, like in situations where offline brute forcing is possible (like theft of password hashes), and not applicable to wifi routers, and cases where sites take only small (8-char) passwords. In these cases using a password manager like Lastpass is super efficient, it manages highly random passwords for you. The second thot I had was, is the authors presumption of attack criteria accurate enough? I battery of common phrases is as easy to use as a dictionary, and most people only know a few memorable phrases. The attack rate is also presumptuous, and the article mixes points of view with user suggestions and developer suggestions, thus an attack rate of 3000 attempts or better is easily possible againt a well provisioned but insecurely designed web site. Can you remember 15 different phrases if you have 15 different logins? We really should just be using password managers. And the last thot I had was: what does a security pro say on this? I tweeted @SGgrc and Steve Gibson of the Security Now podcast will cover this in an upcoming episode! (www.twit.tv/sn)

%d bloggers like this: