Why you should care about password length

Jeff Atwood shows us why we should consider better password policies when developing applications or setting company policy.  

As we know, the biggest threat to security is not hackers, but the users themselves making it easy for someone to gain access to protected resources by having ridiculously easy to guess passwords. As developers we are as much at fault for building applications that allow this behavior.  Jeff recommends using pass phrases instead of passwords. A phrase is longer (and thus more resistant to brute force) and easier to remember than a mixed up jumble of nonsensical characters. By adding an unusual word or character pass phrases are very difficult to break with dictionary attacks as well.  Pass phrases are controversial as well, see:

The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3

The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3

Personally, I think the hard part is convincing users and business owners of an application that longer or more complicated is better. From my own experience I understand users want the simplest password policy possible. Often the business owners of an app don’t feel the information being protected is all that important to justify such an imposition for the users, or feel that it becomes a support expense because users can’t manage their own data or password very well (a great argument for using something like Windows CardSpace). I think they forget that users re-use the same password everywhere possible: a free e-mail account, network access at work, bank web sites, a blog, a MySpace account, etc. I would not want to be responsible for a malicious person to gain a password from my system and then use that password to systematically destroy someone else’s life. Be strong, insist on good password policy.