About three years ago, developer Cameron Morris had a personal epiphany about passwords, he recently told ZDNet’s John Fontana: The time it takes to crack a password is the only true measure of its worth.
Not whether it has a minimum of x or a maximum of y characters, not whether it’s got blah-blah amount of numbers, not whether it includes your frou-frou leetspeak ch@r@ct3rs, not whether it contains the verboten from lists of taboo words.
Syntax laws like those make up the typical password policy creations most organizations use and that many security practitioners preach.
But if you religiously follow such policies, Morris notes, you get situations like this: Facebook graded as “weak” a password he made up of 35 characters using the first letters of a random phrase, while it deemed a password “strong” when it matched the social network’s creation policies, which allow for use of common words.
Morris’s Facebook-appeasing password?
The time it would take to crack that supposedly strong password, according to tools that Morris has created to estimate password strength: less than one day.
Read the full article at Naked Security