That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.
That comic got me to change all my passwords. I now have a stack of virtual movieposters in my head using that principle. Nothing written down anywhere, not forgotten one yet, far more secure. Works fantastically well for any password function where you are permitted long passwords. I start swearing at places that impose limits, now.
The problem is “correct horse battery staple”-style passwords are easy to remember, but annoying to type. Memorizing a random eight-character password is hard, but typing one is easy.
Alphanumeric passwords are overrated.
That comic makes a good argument against the kinds of alphanumeric passwords most people naively come up with to match password policies, but the randomized ones that a password manager will give you are far stronger. Assuming 6 bits of entropy per character (equivalent to a choice of 64 characters) and a good source of randomness, a random 8-character password is stronger than “correct horse battery staple” (48 bits of entropy vs. ~44), and 10 characters (for 60 bits of entropy) blows it out of the water.
Of course, since you typically won’t be able to remember eight base64 characters for each of the fifty sites you need a password for, that makes the security of the entire system depend on that of the password manager or wherever else you’re storing your passwords. A mix of systems might work best in practice, and I’d recommend using two-factor authentication where it’s offered on anything you really need secured.
That comic got me to change all my passwords. I now have a stack of virtual movieposters in my head using that principle. Nothing written down anywhere, not forgotten one yet, far more secure. Works fantastically well for any password function where you are permitted long passwords. I start swearing at places that impose limits, now.
What really annoys me is places that won’t let you use those passwords because they’re too long and they don’t have any numbers in them.
The problem is “correct horse battery staple”-style passwords are easy to remember, but annoying to type. Memorizing a random eight-character password is hard, but typing one is easy.