For my own peace of mind as well as platform safety and security, we really need a max password length of >20 characters. Please see Troy Hunt’s blog (Microsoft security researcher, well-written and sometimes hilarious posts) about why this is critical. I sure hope our passwords are already encrypted, even if they’re required to be short.
While I agree that longer randomly generated passwords are much better from a security standpoint, I’m confident the average user has no interest in a greater than 20 character length password. I would not be opposed for the option to exist for those who would be interested.
As an aside, my professional background is banking. Our long-time IT security guru is also a firm believer in long complex passwords. When confronted by some of my co-workers as to how they would possibly remember them, his suggestion was to write them down on a piece of paper at their workstation. Sounds crazy but his theory is if one’s physical workspace is compromised, one’s password is a relatively trivial concern.
I’m not saying they need to be randomly generated. If you’ve seen the XKCD comic about passwords, you know they can be secure and memorable. If an average word is 5-6 characters, I can only fit 3 or 4 short words into a 20 character password. The one in the comic (correct-horse-battery-staple) is 28, and those extra 8 characters provide a surprising amount of added difficulty to guess or crack.
Also, there’s nothing stopping “the average user” from using their 10 character password if the maximum is 60. If I get to use my password manager to max out the password length, Mr. Average and I are both happy.
Complex passwords can be remembered easily by having a sentence in mind. In 1983 my dad & i went fishing @ the Huron, Ohio pier and had a great time. Hence the password of: [I1983md&iwf@theHOpahagt] That is a 22 digit password.
This beats pig latin passwords.
The other thing to take into account is that it’s recommended to create a different password for every account you have. So, the complexity is far, far greater than how long your password is for an individual account.
I suppose if you use some kind of password manager the job becomes easier, but your security guru probably forgets that most people don’t sit at their workstation all day. Are they going to carry their ‘piece of paper’ with them wherever they go?
I don’t necessarily agree with him completely but he might very well say, yes. I’d agree a password manager might be the better solution.
I’ll still observe most folks don’t heed advice to use complex passwords or different ones for each account. Convenience has a tendency to trump security. Those of us frequenting Internet forums tend to be the outliers.