On 11/12/13 22:16, Cathal Garvey wrote:
A password of good length, stored using a *password hash*, is pretty secure against attack. 'Good length' here is 20 characters or more, if you ask me..but the "true" entropy of a passphrase is not merely the length or character value, but number of words. So a 4-word 20-character passphrase is probably slightly weaker than a 5-word one, because pattern-based or markov-based brute-forcers may have an easier time working through 4-character passphrases.
With an average of 5 important sites and 50 less important site per person, it requires people to *remember* 55 totally different 20 character passwords. The number of trivia that people can remember in short term memory is 7 plus or minus 2. 55 is way to much to remember. The world needs to forget passwords as remote identification and move on to client certificates. Preferably, a separate client certificate for each site. It takes only a small browser plug in to make it easy. Regards, Guido.