I’ve had a thought forming in the back of my head since a recent ISD Podcast we did the other day featuring a breach of a Star Wars fan site. In the case of a data breach like this, it really doesn’t matter what your password is if the website stores in in clear text. Obviously you would hope that they wouldn’t do this but if they do, you are screwed.
No matter how much care you put into having that 80 character pass phrase with punctuation, etc, the data thief is sitting there staring at your password plain as day. Furthermore, you are standing out as the lone wolf who has this crazy password. From the thief’s perspective, that makes you a more interesting target since you are A) Either just more careful than the average Joe or B) You have something spectacular to hide.
Most people choose a password of 7-8 characters. This is because this is the minimum required length for most websites. A password of that length is somewhat trivial to crack these days practically no matter how much capitalization or punctuation you have present. When you move up to more like a 15 character password, I’ll dare say that you are beyond the practical reach of current capabilities. If you were dumb about it and made it easy to guess then all bets are off. Putting in spaces can help but even just combining odd words will make a better password. To illustrate:
“sneakyrubberdogbath” is safer than “P4$$#ui!”
But then if a website gets hacked and the all the user accounts are leaked, having something REALLY long and REALLY crazy is going to make you stand apart from the pack. Probably far more than you really want to. If I saw something like…
…my interests would personally be peaked and I would wonder what was so damned important that userbob is trying to protect. My point is that you should keep your password within a range and not get carried away too far in either direction.