[gfsadhfsd]

> How many 12+ character passwords are you able to memorize?

As I need to enter on a regular basis. In practice, no more than half a dozen. Usually I have 3 or 4 in use. Might be work, personal, and a couple for crypto.

> How long does it take you to learn a new/changed one?

Depending on the length, 5-10 minutes of continuous training to be confident if it's one I'm going to put into immediate use.

The point is to go straight to pure muscle memory without using a mnemonic crutch. Ultimately for a password that you're typing on a multiple-times daily basis, you're going to be relying on muscle memory anyway. If you're trying to remember what came after the correct horse battery, or if the correct came first or last, you've already lost. "limbdumaslaterjuramondo" gets me no closer to login if my password is "limbdumaslaterjuramondohalf" if I've forgotten nonsensical "half" than "+D%W}B_]7|~y" gets me to login if my password is "+D%W}B_]7|~yd" and I've forgotten "d".

You're going to be typing the password with your fingers, so learn the password by typing it with your fingers until it's automatic, not by conjuring a sequence of unconnected mental images. It actually saves time.

[marklgr]

I doubt most people type their passwords multiple times on a daily basis, so dismissing mnemonics with "just use muscle memory" doesn't look practical to me. And they're not incompatible, actually: you can eventually commit to muscle memory a diceware-like password, but in the meantime (or if it slips out of muscle memory) you got mnemonics ie. clues.

As far as I'm concerned, I've tested some diceware passwords for some months, and I would say they served me all right. I "name" my passwords by their initials (first letter of each word), so there's no risk of missing a word or swapping some.

[gfsadhfsd]

If it works for you, great. Maybe I was being deliberately controversial calling xkcd/diceware bullshit. Kudos for raising bad password awareness and improving practices, I suppose.

But, I still contend it basically knocks down a straw man with bullshit. Yes, they correctly point out that if you're using a mnemonic method, a long passphrase is better than a short password. I'm pretty sure the PGP folks pointed that out at least a decade or two ago.

At the end of the day, if you're not using, recalling, and exercising a strong secret, you will forget it. That's how memory works. With Diceware you have three things to learn; your silly mnemonic, what it translates to, and how to type it quickly. True, you might (just might) forget the muscle memory of exactly how to type it before you forget the entire mnemonic, and then be able to recover the password from your memory of the mnemonic cues. That seems intuitive, at least, but misleadingly so.

But my years of experience has taught me that muscle memory is the most durable memory. There's nothing inherent in "correct horse battery" that's going to give you "staple" once you've forgotten it; it's gone. It was random, after all. If you're not exercising and remembering your secret, then you have to have a backup to fall upon--written down or stored somewhere? If your goal is muscle memory with minimum pain, fewer, maximally-random higher-entropy keystrokes is better.

I don't think most people sit down at their desk all day uninterrupted without leaving. I lock my terminal when I leave my keyboard and type a password to unlock when I return. I enter a password whenever I unlock an encrypted volume (e.g., to get other passwords).

You can use biometrics or tokens, but purely memorized passwords can have unique utility. In America, for instance, you generally can't be rubber-hosed to give up a memorized passphrase, and it's not generally a crime to do so. You can be compelled in a variety of settings to provide a physical token, including biometrics, or disclose their existence. There can be civil coercive techniques to pursuade you to give up a password, but at a bare minimum, in a criminal situation or where the 5th amendment applies under my current understanding you cannot be forced to give a password from memory.

Of course if you're the surveillance target of a nation-state then potentially they can do what they need to do to covertly intercept your passphrase through physical access, evil maid etc., but that's a different ballgame.

[marklgr]

One of your point is that three things to memorize is more difficult than having just one, but sometimes it's just not the case: adding vivid images and funny/silly backstories actually makes remembering easier, as research suggested and borne out by personnal experience.

Now, it could be argued that these images/backstories could be made up for random ASCII chars too, but to me it's just easier to do so with words.

Regarding screenlocks, I tend to use relatively mediocre passwords (nothing stupid, though), since screenlocking is only useful against very casual attackers -- someone skilled and motivated will just get in if they have physical access to the box. But I agree that it's where muscle memory would work best.

[ascorbic]

A "better" password that you share between accounts is far worse than less strong passwords that are unique to each account. "+D%W}B_]7|~y" might be unfeasible to brute force, but that doesn't do much good if it turns up as plaintext in a dump and you've used it for all of your work or personal sites.

[gfsadhfsd]

What? Where did I say I share these passwords? I don't. Go up to my top post. Passwords of any importance are unique, also random, and stored in a text file in an encrypted volume (with a unique, strong, memorized key).

The only non-unique keys I use, are also nonrandom, and used for accounts with no security consequences. Like this one.

[ascorbic]

Apologies, I misunderstood your post.