Mark Burnett suggests that you ignore absolutely everything besides length in your passwords. This is the most exuberant entry yet in the new bad password advice: that only length counts. Randall Monroe’s xkcd on the subject is a lot better, but still, I think, a little worrisome.
Burnett may well be correct that at this exact instance in time, a password like 33333333333333333333 might be harder to crack than fJ3N06. But if he is correct, that’s only because at this moment in time, the public has been repeatedly and incorrectly told to focus on having short passwords with lots of “special characters” in them.
As a result, 99% of all passwords are short (say, less than 10 characters), and the attacks out there presuppose shortness and don’t even consider 20 character passwords, no matter how bad.
But the entire point of Burnett’s post, or Randall’s, or, hey, how about mine, is that the present situation is untenable. We can’t continue to have all of web security base itself around the flawed “short password with special characters” model. And so, as we work towards educating people about a new model of longer passwords, let’s get them practices that aren’t just good right now, when length is all that matters, but is good in the future when hackers actually care about 20 character passwords. And in that future, “all threes” does not cut it.
Nor does any measure of low-entropy, all-length password. The xkcd comic is scrupulously true as far as it goes, but note that Randall’s definition of a “common” word is “in the top 2,000 most common words,” not, say, “the top 1,000,” or “the top 500.” And it’s not, “to be or not to be,” or “where the streets have no name.” If and when longer passphrases become common enough that attackers bother to target them, the same people who use “$ecret1” as their passwords now will be choosing passphrases: and if all you tell them is “it must be 20 characters,” or “it must be four words,” they’ll but just as vulnerable then as we are now.
Most of Burnett’s advice is terrible. He correctly diagnoses problems and then gives bad solutions. He suggests adding “a word” to the end of your passphrase, which adds probably somewhere between 500 and 2000 possibilities to your password, as an alternative to doing substitutions, which probably add in the same general ballpark.
He suggests taking “three to four words from a common phrase” and using that as the basis for your password, and then doing the kind of simple substitution (pluses instead of spaces) that he correctly decried a paragraph before. This is an awful idea. Dictionaries of common phrases exist, people.
Hilariously, he suggests that random passwords are a bad idea. This is just dumb. If you can live with a random password, then it’s the best solution. Sure! Choose a longer random password, not a shorter one. In all likelihood, you aren’t committing it to memory anyway, you’re using some kind of password management tool. And yes, at this exact moment, an eight character random password may be less secure than a longer, less entropic one. But that will stop being true the very moment a significant number of people start using longer passwords.
And having a strong password base and then a few predictable characters for a particular site, is a pretty good compromise between the better-security but harder-to-manage goal of a unique password for every site, and the more humane but less secure repetition of passwords.
In short: Don’t give people security advice that is predicated on your security advice not being taken.