[plamenv]

Can anyone explain why would you want a password longer than 16 characters? Even if it's unsalted, all lowercase letters and md5 hashed, it's impossible to bruteforce crack it. And people who use 16 character passwords are unlikely to have them all-lowercase-lettered so it's even worse for the crackers.

Sure, the 16 char limit may be arbitrary but even if you make it 50, tomorrow some outraged blogger will be complaining that he can't enter his 100-character password.

[Revisor]

A better question is> Why WOULDN'T I want a password longer than 16 chars?

The longer the password, the more secure I feel, even if it's one day leaked as an unsalted MD5. And I don't care whether I can remember it because my password manager has effectively superseded my memory.

There is no reason to put an upper limit to the password length.

[plamenv]

Actually, you're right. For some reason, I was thinking that I have to pick a limit for the database field but, of course, the password is hashed so it doesn't matter how long it is.

[tedunangst]

I use 16 letter or longer all lowercase passwords. They're easy to type and easy to remember. For example, my HN password might be ishouldbemoreproductive. It's hard to crack, but doesn't require finger gymnastics to enter.

[skimbrel]

Actually, English phrases contain very little entropy -- as little as 0.6 bits per character. This is because the rules for what constitutes a valid word or phrase dramatically reduce the number of possible characters at a given position. To look at it another way: take an arbitrary string of letters. What's the probability that it forms a valid English word? Very low. Flipping this the other way, if we know that a password is constructed of English words, we can immediately throw out a vast majority of the search space simply because it contains substrings that never appear in real English text.

Here's a better way to construct a strong, yet memorable password:

Take a full sentence, including punctuation and capitalization. Use the first letter of each word as your password. For example, "I should go on Hacker News less frequently, because I'll be more productive." becomes "IsgoHNlf,bIbmp.". We now have three character classes in what appears to be a random sequence.

(Yes, this still has patterns due to being constructed from English. But we've effectively taken a longer English phrase, with higher total entropy, and compressed it into a string that doesn't exhibit the low per-character entropy of the full words.)

[tedunangst]

Obviously, there are rules for what constitutes a valid phrase, but they are rather complex for a password cracker to check.

My computer says there are 234979 words. Pick 5 and there are 716382975036689591261090899 combos. That is actually very very close to a 15 letter alphanumeric. 62 ^ 15 = 768909704948766668552634368.

I don't doubt that IsgoHNlf,bIbmp. is a secure password. But it's a bitch to type. Especially on a phone.

[ianterrell]

This is a good practice. http://www.baekdal.com/tips/password-security-usability