[Full-disclosure] guidelines for good password policy and maintenance / user centric identity with single passwords (or a small number at most over time)

[coderman]

On 3/26/06, J. Theriault <administrator at maginetworks.com> wrote:
> ...
> Why not just encourage your users to use a "passphrase" instead of a
> "password", such as using a (with proper grammar) book/movie quote or
> phrase?

excessive typing == unnecessary leaked information and longer auth
process (acoustic, profiling, easier pattern discovery, etc.)

i don't have a problem supporting a passphrase mode (>16 chars?  >32?)
but i'd rather not make it the default.

(and the default is and must be the most secure and usable path for
this to be trustworthy and widely usable)