[spenczar5]

I don't understand how that wouldn't work within the system described in the blog post. Couldn't you just write down `anger lunar @1` and follow your personal secret munging rule, so it becomes `ngeraunarl@1` (or whatever)?

[r3bl]

The problem is that if you stumble upon three of these different requirement sites that break with your Two Step Authentication process as described in the article, you're going to forget about this rule.

[wahsd]

I don't see why you couldn't modify the concept to always include numbers and spacial characters.

For example; your "password" could be a combination of words, numbers, and characters while the "thing you know" is something like capitalizing the even or odd first character corresponding with the even or odd number corresponding to the first letter of the site or company, and combine that with the even or odd sequenced number and character in their sequential location in the password or at the end or beginning of the entered password.

I'm sure I could describe that more clearly if I tried.

[mrb]

Then you run into the problem of idiotic sites not allowing special characters, or numbers, or even uppercase (I am looking at you, rvtrader.com...)

The second main reason passwords suck (after the fact users trend to choose weak passwords) is that developers implement all sort of contradicting password rules.

[Terretta]

No, because standard UX only gives you the arbitrary rules at creation time vs login time, so when logging in you don't know which rules you had to comply with.

Can't wait till we check min entropy and otherwise don't care.