Singalongapassword

Brian Krebs is an excellent journalist and blogger on information security matters.  He often seems to pick up infosec stories that nobody else covers and his advice is generally sound.

In respect of password choices, however, I think Brian's missing a trick. He offers the stock advice on avoiding common words, using miXed case and punctuation ... etc. all fair enough but neglects to mention the coolest tip of all, which is to use long pass phrases.

Long passwords used to be counterproductive on old Windows systems that broke them all into weak 7-character chunks. Windows hasn't done this for years.  The only other issue I'm aware of is that some dinosaurs of the mainframe era still restrict password length to about 8 characters. But hey, it's only the mainframe, so nothing much to protect there, eh?

My favorite passphrases are the complete lines of songs, complete with punctuation, spaces, capiTaliZation and tricks such as duplicating, omitting or substituting certain characters. Best of all, I only need to remember one long passphrase - the one that opens my password vault - and I practice it often enough that it sticks firmly in my mind. When it's time to change it, I simply pick another line or another song, poem or famous quotation, something memorable anyway. Occasionally I find myself quietly humming along as I type it in, and yes I'm paranoid enough to worry about anyone overhearing me!