| > Reason: You still have to type it sometimes. Like on a device you don't have the password manager on. Assuming a standard typeable character set (letters upper/lower, numbers, symbols you can type on a standard US keyboard), you've got 92 characters. (Safe assumption given you're planning on typing this on all sorts of devices.) Your randomized eight character password has 52 bits of entropy. Twelve characters takes it it to 78 bits. Not really enough if you're up against an offline attack. Assuming you choose 5 random English words (which will probably take you about two seconds to type on something like a phone), you'll have a more secure password. I agree typing on devices that don't have your password manager is annoying, but in my experience it _really_ doesn't come up that often. Yours is the exact reason I use 32 character passwords rather than the 64/128/etc some people I know use. But 12 is.. short. The trade-off between the added security and the inconvenience makes it a pretty obvious choice for me. (And you're wrong--having a database dump full of password hashes does not "already owning that site" make.) Typing 32 characters on a game console to log into Netflix taking an extra minute every few years is really not that inconvenient relative to the added security. And it's something like 2^130 times more secure than your 12 character password for the inconvenience it brings. Or about 1,361,129,500,000,000,000,000,000,000,000,000,000,000 times (I can't actually find the SI prefix for how big this is) stronger. |