A microsoft security guru starts blogging, and gets attention for advocating passphrases as memorable alternatives to passwords.
I don't see passphrases as workable. I have hundreds of passwords to manage -- would hundreds of passphrases be any easier to manage? In any case it's not like people would choose passphrases randomly -- popular songs, famed bible quotes, historic expressions would all be over-represented.
The blog did mention a few minor details that are probably not known to the average person:
- Passwords of under 10 characters are completely vulnerable. Software using "Sarca rainbow tables" are used to create all "possible LM or NT password hashes of a given length with a given character set". The "pre-computed password-hash-to-password-mappings" are then burned to DVD. The DVDs are used to crack systems using passwords under 10 characters.
- All dialects of Windows default to storing an "LH hash" for passwords below a certain (nn characters?) length. "The LM hash is no longer cryptographically secure and takes only seconds to crack with most tools".
- Password length may be more important than password complexity given current cracking tools. A good length is something like 42 characters or more.