[dllthomas]

This article includes some good points, but puts them together into something inane. It's true that silly constraints lead to trivial changes that lead to crackable passwords. It's also true that assuming brute force over all character classes included in a password is wrong. Those are precisely what the "correct horse battery staple" comic was getting at. Picking words at random (that is, based on a PRNG - not "random" meaning "arbitrarily, by hand") from a dictionary, brute force over that dictionary is the best an attacker can do, and the (dictionary size ^ number of words) calculation is a correct measure of entropy, and with sufficient entropy no passwords will be duplicated. The "correct horse battery staple" hypothesis is that this gets a better score on "entropy per difficulty memorizing" than generating passwords by drawing randomly from a dictionary of typeable characters, and I find that to hold - it's also easier to type actual words.

The other odd point is that we shouldn't be advocating stronger methods of choosing passwords because we should be using multifactor authentication. I don't dispute that we should be using multifactor authentication in more places, but even in that case weak passwords are a problem!

[tempestn]

His primary point is that people should not be choosing passwords at all, and should instead use a password manager, except for a select few passwords such as logins for computer and phone, and the password manager master password itself.

Yes, the correct horse battery staple has more entropy than most common passwords, but the point is that we don't need a way of generating better memorable passwords. We can already just generate random, long, completely non-memorable sequences of characters and store them in a password manager, and that's what we should be doing.

[dllthomas]

I don't disagree with that primary point, but the "except..." is plenty of reason for recommending good mechanisms for password selection.

[Dylan16807]

>people should not be choosing passwords

CHBS is a method for generating passwords, not choosing them.

[tempestn]

OK, but its purpose is to generate memorable passwords. The point of the article is that focusing on making passwords memorable is counter-productive, since we shouldn't generally be trying to remember passwords. And if you're not trying to remember it, a string of 16 random characters works fine.

[dllthomas]

Yes and no. Secure and memorable passwords are still vital for securing your password manager. Having a means to generate them is not counter productive.

[coldtea]

>The other odd point is that we shouldn't be advocating stronger methods of choosing passwords because we should be using multifactor authentication. I don't dispute that we should be using multifactor authentication in more places, but even in that case weak passwords are a problem!

Only he never says that weak passwords are OK. Instead he says that we should not let people decide them, and instead use a uniformly random distribution of passwords (i.e. generated automatically).

[dllthomas]

That is precisely what "correct horse battery staple" suggests, over an alphabet that is more memorable per bit of entropy.