We also need to get rid of the stupid habit of blanking out the password on the screen as it's typed, which imposes a time penalty exponential in the password length, or at least make it optional and disabled by default.
Re: this. Just have an option to 'display password' on the field itself somewhere, like you get when entering your WiFi password, or passwords on your phone.
Re: GP. Attackers would just switch to brute-forcing with common phrases. Song lyrics, expressions, etc. Then your passphrase rules will change to accommodate that, and be even more confusing. "The quick brown fox jumps over the lazy dog" and other long, memorable phrases, will be as insecure as "password123".
Really interesting article and absolutely a fair point, but from the article itself, pass phrases are still better. Just not a cure all. The title ("... only marginally better ...") does not match the body ("... vast improvement ...")
>>
The "30 bits of security" means the chances of a single guess cracking a four-word passphrase would be one in 230. What's more, the two-word phrases cracked in the study provided just 220.8 (or 20,656/0.0113) bits of security. Another way of expressing the same finding is that a dictionary of slightly less than 21,000 phrases is enough to guess the login credentials that slightly more than 1 percent of people in the real world will use.
To be sure, that's a vast improvement over the security of normal passwords. Analyses of compromised passwords leaked onto the 'Net, including a corpus of 32 million plaintext codes dumped following the 2009 hack of online games provider RockYou, show that it's trivial to crack a sizable proportion of real-world codes. A dictionary of just two of the most common passwords—123456 and 12345 respectively—typically guess 1 percent of login credentials.
