Comments on: Making your passwords better for less http://www.bitesofapple.com/2010/01/11/making-your-passwords-better-for-less/ Fruitful news for small business Apple users. By Ron Seybold Wed, 31 Mar 2010 11:30:42 -0400 hourly 1 http://wordpress.org/?v=3.0 By: Jon http://www.bitesofapple.com/2010/01/11/making-your-passwords-better-for-less/comment-page-1/#comment-105 Jon Tue, 12 Jan 2010 03:48:05 +0000 http://www.bitesofapple.com/?p=303#comment-105 Of your five rules of thumb, I like 1, 2, and 5, but I think the value of mixed-case and punctuation in passwords is overrated. In terms of bang-for-buck, if you're going to invest more keystrokes, it's better to spend them typing longer passwords rather than hitting the shift key. For example, "xyag9p7wzo" takes the same number of keystrokes as "Wd&eq9%" but most people could probably type the first example faster, and it is more secure because it is almost 50% longer, less vulnerable to brute-force. I'll grant you that if the attacker *knows* I never use the shift key, it would allow for a slightly more efficient brute-force algorithm. Of course, all of the above only applies for passwords that must be physically typed. If I'm using a password manager that transmits the stored passwords for me, then I'll use the maximum allowable range of characters with full cryptographic randomness, for example https://www.grc.com/passwords.htm Of your five rules of thumb, I like 1, 2, and 5, but I think the value of mixed-case and punctuation in passwords is overrated. In terms of bang-for-buck, if you’re going to invest more keystrokes, it’s better to spend them typing longer passwords rather than hitting the shift key. For example, “xyag9p7wzo” takes the same number of keystrokes as “Wd&eq9%” but most people could probably type the first example faster, and it is more secure because it is almost 50% longer, less vulnerable to brute-force. I’ll grant you that if the attacker *knows* I never use the shift key, it would allow for a slightly more efficient brute-force algorithm.

Of course, all of the above only applies for passwords that must be physically typed. If I’m using a password manager that transmits the stored passwords for me, then I’ll use the maximum allowable range of characters with full cryptographic randomness, for example https://www.grc.com/passwords.htm

]]>