Bruce Cowper has posted an interesting article discussing Passwords and Passphrases following Bill’s keynote @ ITForum last month. Clearly we’d all like to see the back of passwords as they are unfriendly to users. In time technology may make it feasible for devices such as smartcards and federated authentication services to enable us to take the pain away.
In the meantime there are so many systems that require users to enter static passwords that we need to consider how to get the maximum level of security from this basic form of authentication.
As Bruce points out in his article there are some discussion papers located on TechNet which discuss the use of PassPhrases rather than Passwords. The concept is pretty straight forward, advise users to enter whole sentences in the password field rather than individual words or cryptic combinations of characters. It’s not realistic to expect users to remember long strings of random characters for their passwords let alone expect them to change them frequently without writing them down.