A couple of different friends sent me over a link to an article about the usability of passwords this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line: "Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice" The crux of the article is that so long as a password is sufficiently long – the example used is “this is fun” – you’re pretty damn secure (apparently 11 characters is just right). Actually, the term used was "secure forever". Wow, two pretty absolute terms. So let’s take a look at these and apply a bit of objective analysis to see if they hold water. Does a brute force attack really only run at 100 attempts per second? Is "this is fun" really 10 times more secure than "J4fS<2"? Do rainbow tables really work by an attacker copying and pasting a hash into a website? Are bad password management practices on the server really not your problem?