For Diablo (anything Blizzard) - Get an authenticator. Mine was...$10, I think, and Hubby uses an app on his phone.

Most people aren't going to *remember* a 16-character password unless it's a normal or only slightly masked English phrase, whereas most people can memorize even a random 8-character string of numbers and letters.

A bank (mine, at least) is much more careful overall about who you are than Gmail is. My Gmail username is readily available to anyone who wants it; in fact, any CS/Fratching! member's first guess at what my gmail address is will probably be correct. Whereas my username for the bank is known only by myself; in that sense, it acts almost as a second password.

If you enter a wrong password on Gmail too many times, I believe that, like Fratching!, they lock you out for a set period of time. Maybe not even that. If I don't get my bank password in right by the third try, I have to call the bank on the phone and go through a real person to get my account unlocked.

I can log into Gmail from pretty much any computer I can physically access which has an internet connection, with nothing but my address and password. Which means anyone else can too. If I use any computer other than my own, even with correct login information, the bank makes me answer a series of security questions to verify I'm really me. (Annoyingly, they also do this about the first ten times in a row I go there on my own computer after just once using another, but it's a mild nuisance and not many people know my first pet's name was Bojangles and my favorite childhood TV show was The Monchhichis.)

All in all, I don't see how the shorter password is a problem.

there's a difference between requiring and allowing, I'm not allowed to have a good password if I want to. The people who can't remember would still have the option of the shorter passwords.

This strip illustrates better than I could explain why shorter passwords are, in every way that matters, worse than longer passwords:

http://xkcd.com/936/

My husband works for a government contractor that requires their employees passwords to be no less than 13 characters long. Everyone who works there has passwords that are much longer than that.

Restrictions on passwords are a pain anyway. I should (basically) be allowed to use what ever password I want with as many characters. Putting restrictions not only makes it easier for hackers to narrow down the password, but it makes it harder for me to pick a password I can remember.

People really need to be taught how security for log-ins really works.

First, for anything non-trivial (basically, anything that involves money, like your banks, online retailers, etc) should have not only a unique password, but a unique user name as well. It doesn't take much to do that, either; As an example, if I use the name Andara for my login somewhere, for my bank, I could change that to AndaraMB or similar. It doesn't have to be complex, and if you use the same formula for each site, it's also easy to remember.

The same goes for passwords. While longer really is better, you can make a strong password, even with only 8 characters.

Here are some examples of various 8-character passwords (with and without special characters) to show whether what you're using is worth the effort it takes to remember (all times are approximate for brute force computer cracking, courtesy of howsecureismypassword.net):

bankpass - 13 minutes - single-case dictionary words and easy to gess, too - you might as well just stick it on a post it on your monitor, while you're at it.

b4nkp4ss - 3 hours - just adding some numbers to the letters makes a huge difference - if a site limits incorrect entries or throttles, this is actually strong enough, although a bit easy to guess.

bankpa$$ - 8 hours - alternate characters are better than numbers, but for a site that doesn't protect you (a lot of forums and gaming sites and a depressing number of online merchants), your account is still woefully vulnerable.

b4nkp4$$ - 2 days - numbers and alternate characters are an exponential jump - still mildly vulnerable, but less dedicated hackers will have gotten the low-hanging fruit and moved on before breaking in.

BankPass - 2 days - as good as numbers and characters combined and a lot less effort - it's still far too easy to guess, but an automated team will often move on before this point.

B4nkP4ss - 10 days - at this point, you should be beyond the reach of both manual and automated attacks - unless they really want into sites on the account (banks, gaming portals, merchants), they won't stick around this long, and any site you'd trust with your money would have locked the account down well before it gets this far.

BankPa$$ - 18 days - special characters are still better than numbers, but at this point, you're probably safe on every site that has any form of brute force lockout.

B4nkP4$$ - 57 days - the holy grail of a strong password - mixed case, and has numbers and special characters - any site that gets broken into with this password is probably not one you want to be part of anyway.

B4nk P4$ - 333 days - this one is included for those rare sites that will allow spaces - if you're worried about your online security enough that you will use spaces when allowed, then you should also be looking into a password locker with an adamantium password for that.

It's worth noting that if you use numbers or special characters to replace letters, you might as well do all of them, as the brute force doesn't care if you have 1 versus multiple.

And the best way to increase password strength is length.

Just adding an 's' to get 'bankpasss' pushes it to 6 hours. At 10 characters, you're up to 6 days. 11 characters is 169 days. And 12 characters, all lower case, all letters, is suddenly 12 years.

One of my passwords for one particular site I'm on, is 18 characters, because that's what it happened to be, and even though it's an actual word, the brute force would take about 3 billion years. Someone getting into my account will be doing so via keylogger or the site itself being hacked. My regular patter password, however, is 12 with all three character types (only single case) is worth 1 million years.

...

TL:DR - longer is better, and at 12 characters, as long as you're not using a word, you're pretty much unhackable.

^-.-^

I have a couple of logins for some government sites, and I default to a 16-character pattern. It has all three improvements: mixed case, numbers, and special characters. Plus, since it's a pattern, I can write down a 4-character "cheat" that nobody who doesn't know the pattern already will understand the significance of.

Single case is 12 years strong.
With numbers is 600 years.
With special characters is 2,000 years.
With numbers and special characters is 39,000 years.
Mixed case is 49,000 years.
Mixed case with numbers is 408,000 years.
Mixed case with special characters is 1,000,000 years.
Mixed case with numbers and special characters is 193,000,000,000 years.

Just starting off, 16 characters is pretty much uncrackable even if you're using a single case, and government systems are notably restrictive regarding multiple failures.

^-.-^

I'll reiterate what HYHYBT said - most sites will lock you out after a certain number of failed attempts within a certain time frame. That alone pretty much stops any brute-force cracking. This is why ATM PIN codes (4 digits, 10000 possible codes, cracked in 10 seconds) are actually secure enough for most purposes.

Most passwords are cracked via social engineering - if they're not hacking you (putting a keylogger on your system, for example), they're using social media to find out details about you - your pets' names, your birthday, your anniversary, etc. Brute force methods don't work so well these days. Which is why, despite having relatively short passwords for even some critical sites, I've never had any of my accounts hacked.

The best things you can do for account security are:

1.) Don't use stupid passwords, like password or drowssap, or personally significant dates.
2.) Don't share passwords among important sites. Any site where someone could spend your money on arbitrary things (Amazon, PayPal, eBay, etc), get access to important data (financial records, etc), or damage your reputation (World of Warcraft - and by "reputation," I don't just mean among other players). I use the same password for all of my utility accounts, because if someone manages to get into my water or electric accounts, all they can do with it is... pay my bills!

My current passwords, are both 169 days to guess.

well now the entire internet knows

and as an aside I now have that song stuck in my head....way up in the trees live the monchichis....(though I'm glad I'm not the only human that remembers that show)

I do something interesting with any security questions: I pick an answer that is technically correct, but can't be gleaned from any social media. Examples are:

Birth city > precise neighborhood (this grew out of a mistake I made originally setting the question up, but I decided to keep it)
First pet's name > combination of 2 pets' names, combined in a convoluted manner that still seems like a real name
Father's middle name > grandfather's (on my mother's side) middle name

All I remember of that show *is* the song, and though I did watch it Saturday mornings during the brief time it was on, the reason nobody knows that was my favorite show (and that my first pet was named Bojangles) is that they weren't. I'm not a total idiot

I still think just about anything better than "password" or your name will do if they lock your account (not just for a period of time, but until you actually call in person and talk them into unlocking it again) after only three tries... which my bank does.

The *option* of longer passwords for those who really, really want them would be nice, but it's not anything like the problem the thread title suggests.

(My favorite site in this regard, and I don't remember which it was, lets you make up your own security question. I love that, and came up with one that both tells *me* exactly what the answer is while being so absurdly open-ended that even my mother or my theoretical husband would never guess it. On the other hand, worst in that regard are sites that ask you which of their standard, prewritten questions you answered when you first signed up as well as its answer. How they think it's reasonable to expect people to remember THAT I cannot even guess.)