How do you share your preferred password? Because I guess everything but sending it per text/mail would be tedious, while it would work better with a couple of words.

Shoulder surfing: It's certainly a risk, but I'd say that prolonged shoulder surfing shouldn't be possible. If I type fast, it will be very hard to make out the phrase. If I type slow, you cannot stand around that long.

And - I'm not a security expert, but how much do you gain if you saw a couple of chars here? My intuition (yeah, shouldn't trust that) says that it's worse if I watch you and know the _first_ character of your password than you seeing the first 1-3 characters of the first word of my passphrase?

(We don't know the name of your cat, so judging the quality of the password or your neighbo(u)r's ability to remember it is hard)

> And - I'm not a security expert, but how much do you gain if you saw a couple of chars here? My intuition (yeah, shouldn't trust that) says that it's worse if I watch you and know the _first_ character of your password than you seeing the first 1-3 characters of the first word of my passphrase?

Novel thought and possibly worth persuing, I hadn't thought of that. I want to re-iterate this isn't something I broadly apply across all my passwords or even many of them, just that for some users password sharing is a use-case.

So you're advising against what appears to be a more practical and secure methodology on the basis that it's worse when you share your password? If you share your password, your exact problem is that you're sharing your password -- it's not how easy or hard the password is to remember. In fact, why does this even have any significance when the person you're sharing it with can just write it down?

Oh and if within a year's time you do not change your password, that could very well be another problem. I think you'd be better off just using easy to remember pass phrases and changing them every once in a while. Shouldn't be a problem because they are, after all, easy to remember.

> So you're advising against what appears to be a more practical and secure methodology on the basis that it's worse when you share your password?

Iff you share your password then yes, you should use a scheme more suitable for that. And yes we shouldn't be sharing passwords, and if we do we should be changing them, but in the real world where most people don't do that I don't think we should encourage passwords which their friends will remember easily - because that is a very common attack vector.

>I think more people need to learn to remember arbitrary strings.

The entire point is that humans aren't very good at doing this.

>(Note: This doesn't really apply to me or most of us here in most cases, but for example my WiFi password is of the form "Mycatsname9" and yet my neighbour still has to ask me for it whenever her phone forgets it)

This is actually exactly the kind of scenario where using pass phrases makes the most sense. WPA2 is vulnerable to rainbow table attacks; relatively long passphrases are both easier to remember for mere mortals and less likely to be broken by a rainbow table attack.

> The entire point is that humans aren't very good at doing this.

How true is this? Because everyone that tells me "I have a bad memory" doesn't even know the most basic tricks.

> This is actually exactly the kind of scenario where using pass phrases makes the most sense

I agree, actually - I don't mind if my neighbour does remember it, I was just trying to illustrate that things that are easy to remember are remembered by accident, and things like that are easily forgotten without effort.

Yes, if you share your password, it's probably better to use a password that needs to be written down and can't be memorized, in order to have a chance of revocation. (Or you could just change your password.) But for most of us, most of the time, memorizable passwords are a boon.