When I was doing research for my book Authentication a few years back, I came to realize just how crazy password management has become. The rule comes down to this:
The password must be impossible to remember and never written down.
This is, of course, ridiculous. The ideal password has to be both memorable and hard to guess. Ideally, a password should be hard to crack, which means that it even takes a computer a really long time to guess it.
My thoughts on these issues yielded these articles:
The Center for Password Sanity
- Replacing a Hacked Password
- Picking Passwords
- Famous Passwords
- Password Expiration Considered Harmful
- The Strong Password Dilemma
Some of this material may be reproduced under a Creative Commons license. The copyright for some material is held by Addison-Wesley, the publisher of Authentication.