Microsoft security guru Robert Hensing hit a home run his first time at bat with his very first blog post. In it, he advocates that passwords, as we traditionally think of them, should not be used:
I remember reading an article about passphrases a few months ago, Iâve got it printed out round here somewhere thumbs through a pile of papers
We were considering using pass phrases for the new website we are currently developing.
But in the end, we decided to stick with passwords. Why?
Mainly because thatâs what users are used to and weâre trying not to introduce anything to confuse people.
What we have done is made a security meter, that shows users show secure the password they are entering is.
Along with tips on how to create a secure password that is easier to remember.
Mainly because thatâs what users are used to and weâre trying not to introduce anything to confuse people.
Itâs not new. As long as passwords of sufficient length are allowed, users can opt to use passphrases. What is a passphrase but a longer password that probably reads as a sentence?
The problem, as you point out, is that most people have deeply held misconceptions about what passwords âshould beââŚ
Just make it code:
for i = 1 to 100 do print âThis is MY password!â
or even better run together
fori=1to100doprint"ThisisMYpassword!"
If you can get {} in it, a nice complex C++ for loop would do nicely. I HIGHLY doubt anything would crack that anytime soon 
True, the length does take some getting used to. But how about a somewhat shorter phrase? Something like âOpen sesame!!â perhaps?
I surpose it depends on your audience, but in my experience even something a little different or alien can confuse users.
Perhaps, but I think reminding users that password doesnât LITERALLY have to mean password could help them. In the end, itâs less âI forgot my passwordâ requests and itâs likely to be more secure to boot.
How about instead of just a bland âpasswordâ entry box, we present some sample passwords and passphrases as suggestions next to the entry box? Just gentle reminders that password does not mean a single word.
At 12 characters, your password is barely at the lower end of most passphrase recommendations. The passphrases you cited (âMy oldest sonâs name is Chris and he is 10 years oldâ, âMy address is 1234 Main Streetâ, etc.) are all much longer and just as fraught with danger as was my passphrase.
Iâve heard of people recommending that you only take the first letter of each word in the phrase, but that seems just as problematic as typing the whole thing. Typing a full sentence is relatively easy. Mentally left-ing the first letter of every word is easy to screw up.
I suggest that you use whatever works for you. The call to action should be: let me enter as long a password as Iâm willing to use.
The call to action should be: let me enter as long a password as Iâm willing to use.
The real call to action is to remind users that passWORD doesnât literally mean a WORD. And to that end, I think samples are helpful.
At our website, the majority of the users are âJoe publicâ who use their computer as a tool, with seemingly limited knowledge of things we more advanced users take for granted.
Since I was hired as the senior programmer here Iâve been steadly scaling back the complexity of how the public facing website systems look and work.
Even something as simple as sending new users an account activation e-mail, before their new account was activated caused many problems.
Initally 30% of all account were never activated. Because people didnât read the e-mail? Didnât understand it? Or something elseâŚ
My point is, yes, making a system accept pass phrases is fine. It somebody wishes to use one, so be it.
But a lot of my work interface wise geared towards keeping things as simple as possible and not introducing anything that could confuse users.
I surpose it depends on your audience, but in my experience even something a little different or alien can confuse users.
P.S. Jeff, Iâve been enjoying your blog for a few months now. Most enjoyable and informative, keep it up!
Iâve tried pass phrases and discovered that I donât like them:
http://www.bbrown.info/blogs/bblog/archives/passwords-revisited.cfm
In the end, I reverted back to my old system:
http://www.bbrown.info/blogs/bblog/archives/passwords.cfm
For new passwords, Iâve taken to using the old system and then pressing the backspace/delete key. The second word then becomes a not-word and I think makes the whole password uncrackable.
Yes, simple examples are explainations are good user interface design.
I noticed Jeff that youâve also read âThe design of everyday thingsâ
After reading this I made a checklist that is stuck to every designers desk here, with six bullet points that every web based or desktop application we make must meet.
To that end, Peter, IBM made some great posters on usability a few years back that I have hanging up around my cubicle:
Thanks Bill, Iâve compiled four of those into one A4 sized poster.
Simplify!
I use and love pass-phrases. I find them easier to remember than single words. They also have an added bonus - as soon as you sit down and log in youâre typing away like mad entering your pass phraseâŚyou sound really really busy. This is a good message to convey to others. 5000^4 = 625000000000000, and there are (as yet) no pre-computed list of hashes for all 4-word phrases.
I think this whole discussion misses the point. Would you rather be wearing brown or blue when standing on deck waiting for the ship to sink? I would rather not have to remember a $#^%$ password!
then it can be attacked at the word level with greater speed than a password such as xY6^ui*9uiyrt can be attacked at the letter level
Iâm not sure this is true.
The ASCII character set is about, what⌠maybe 100 characters?
In a sentence, how many words can follow a given word? Imagine a pass-phrase like:
âI have a (blank) hat.â
How many words can go in the blank? Certainly far more than 100!
And remember there is no feedback for partial matches on password failure. You have to match the entire phrase to know if youâve succeeded or not.
Jeff
You say I am not taking into consideration punctuation and numbers however Robert doesnât include numbers and only includes appropriate punctuation in his examples. My point still stands that if a passphrase is a legal sentence using appropriate punctuation, then it can be attacked at the word level with greater speed than a password such as xY6^ui*9uiyrt can be attacked at the letter level.
Jeff
You are correct that a passphrase such as I have a (blank) hat is very easy to remember, however my point was that a password of equivalent length is harder to break. Of course, this implies that you know it is a passphrase, which of course you would not know. Here are the numbers. Letâs choose the word red for your blank.
As a passphrase, we can safely say that for each word there are about 2000 words that a person would commonly use. In fact, it is less than that because of grammar rules, but weâll discount that for now.
I have a red hat == 2000^5 == 32000000000000000 combinations.
Now look at a password of equivalent length where each character can be letter, number, or punctuation. That would make about 40 choices per character. So
I have a red hat == 16^40 == 1.4615016373309029182036848327163e+48 combinations.
If someone uses grammatically correct sentences for pass phrases, then a brute force attack on the pass phrase will succeed sooner than a brute force attack on the password. However, Iâm quite certain Iâll forget the password much sooner than either one is broken!
Small correction in my math. The second example should be 40^16 == 42949672960000000000000000.
Dang logic checker failed to catch that before posting 
say that for each word there are about 2000 words that a person would commonly use
I think this is an extremely low estimate, but OK.
What about capitalization eg âI have a Black hatâ? That means the number of possibilities just doubled for each word.
What about punctuation eg âI have a Black hat!â or âI have a tall, black hatâ Thatâs a few possible characters that may or may not be present. With the comma alone weâve doubled the number of attempts for each word. And the end of the sentence has to be tried with a period, question mark, exclamation point at least.
Without even breaking a sweat, Iâve increased the REAL number of comparisons youâd have to attempt to (6000 ^ 5) * 3 or
23,328,000,000,000,000,000
I guess the hypothetical attack tool you are talking about would have a complete command of English (and perhaps other languages/words/grammatical errors that might slip in)? I donât know how it would know what capitalization and punctuation rules make sense to try, or even which words statistically follow other words. I am not sure this attack tool youâre describing A) even exists or B) is possible to create. Itâs certainly several orders of magnitude more difficult than a simple âcheck the next ASCII character in sequenceâ.
Furthermore, itâs trivial to add words. I could easily change this passphrase to âI have a tall, Black Stovepipe hat!â or enforce a âmust be at least n wordsâ rule.
(6000 ^ 7) * 3
839,808,000,000,000,000,000,000,000
This compares quite favorably to your 16 character password nobody can remember âxY6^ui*9uiyrtâ
40^16
42,949,672,960,000,000,000,000,000
Er⌠heh. Youâre not the only one making math errors!
2000 * 2 (initial caps) * 2 (trailing comma) = 8000, not 6000. Duh. So those numbers I quoted are actually low.