There’s been a lot of conversation about this topic recently on my project team, and I’m starting to agree that long non-complex passwords seem to be a better way to go than shorter “complex” passwords. Check out this article in Infoworld for an interesting article from Roger Grimes of Foundstone: http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html.
As far as life with a long passphrase goes, I was forced to change my password at work the other day and decided to put the long passphrase to the test. I chose a passphrase that was 17 characters long and typed it into the password change dialog twice. The system complained because it was not complex! Argh! Anyway, I complexified it a bit (enough to get past the complexity checker) and have been using an 18 character passphrase for the past week. Within a day I had the muscle memory down and was typing it without error 90+% of the time. This was as about as good as I’ve done with my prior password that was considerably shorter.
I think the notion that passwords can’t be longer than 8 characters without users revolting or sending helpdesk costs through the rough is received wisdom that everyone “knows” is true, but no one has ever tested. Maybe its time to start reconsidering…