Over the past few days, a lot of folks at work have been sending me links to this really excellent XKCD cartoon:
I think this really hits the password problem on the head. With the advent of inexpensive GPU assisted password cracking, as well as more intelligence on the part of the (human) password crackers, the old school password rules of “must have a capital letter, a small letter, a number, and (maybe) a special character” are becoming woefully outdated. And yes, they are hard to remember. And most importantly, they make users hate the InfoSec people. Do they ever bring us home baked brownies as a reward for our password rules? Nope.
As I tend to always take advice from comic strips when making important decisions, I really like the four dictionary word idea. The math seems to work and it certainly seems to be easier on the user. However, the infrastructure for implementing such a scheme in the systems where it would count (primarily Microsoft Active Directory) would have to exist in order for this to be workable. I hope that Microsoft and others who did better than me in math take a long hard look at this as a potential solution to password problems.