The problem is to tap all of that into your phone, every time iOS decides it desperately needs it again, with just stars instead of letters. That's annoying.

I've got a fairly long iCloud password with upper and lower case letters, numbers, and symbols. After four or so years of typing it on iOS devices, I have the muscle memory to type is extremely fast without thinking about it. In fact, to figure out the actual characters of the password, I have to visually reconstruct the physical typing that I do from muscle memory.

It's a pain, but really not that bad. You tweet from your phone (or use email/SMS/whatever else). 20 characters is manageable and secure, as long as it's randomly generated.

Really? I remember quite a few four-word (xkcd-style) random passphrases.

Bingo. I'm actually thinking of diceware.

20 chars: bu-Y6Bx(94ijk1Y5$kWx

Long passwords (aka the xkcd scheme) aren't secure anymore - https://www.schneier.com/blog/archives/2014/03/choosing_secu...

The only good passwords are ones that stay well away from dictionary words..

Bruce Schneier clearly misunderstood the xkcd scheme.

In fact, the Schneier method for generating passwords is probably worse than the xkcd method because a significant percentage of the people who try to use his method will choose a password with low entropy such as "wtpotusio2fampu" (We The People of he United States...) or "igmhaohcr" (I'm gonna make him an offer he can't refuse).

All I have to do is crawl the internet and calculate, say, the top 5 million n-grams. The resulting 5 million candidate passwords would be far more likely to match a typical Schneier-based password than a corresponding list of 5 million candidate passwords designed to match an xkcd-based password.

The simple rule is this: Don't let users choose a password. They suck at it.

Six really random words -- not a sentence -- gives you pretty good security.

Six words chosen from this list http://world.std.com/~reinhold/diceware.wordlist.asc truly at random gives you almost 80 bits of entropy. And six random words are easier to remember than 16 totally random letters.

EDIT seriously, 221073919720733357899776 is a really big search space. If you have a computer that can search a billion per second, it's going to take 1000 computers 1000 years to catalog just 14% of the search space.

The Schneier article is puzzling; the security of the diceware/XKCD scheme doesn't rely on the word list being secret, just on the words from the list being chosen randomly. 4 words randomly chosen from a list of 5000 provide about 49 bits of entropy when the list of words is fully known.

Against an attacker who knows exactly how you chose your password, it's (roughly) the same level of security as a 14-digit numeric code, or an 8 letter case-sensitive alphanumeric code. It's just supposed to be easier to remember.

His point is that using actual, grammatically correct, sentences is not the same as using several random words. As your mobile keyboard autocomplete well knows, after a certain word there are words more probable than others.

How many people use this kind of approach, I don't know. Schneier seems to focus on "three random letters" kind of attacker.

A good password is one that's not known or readily knowable.

There are archives of know passwords -- millions of them. These should be rejected on any online service.

There are tools for guessing passwords. Any password which falls into any of he likely-to-be-guessed divisions should _also_ be rejected.

Dictionary words _could_ work in a sufficiently large namespace. But that's pretty iffy.