Back in 2007, I wrote an article about password security. Specifically how you could create a simple and usable password while remaining secure. In that article, you can read that it is 10 times more secure to use “this is fun” as your password, than “J4fS<2“.

The article is the 6th most popular article of all times on Baekdal.com. It has been read 1,364,640 times and last week it suddenly spiked again.

Many people have commented that I am wrong. They say that the password can be hacked much faster (using rainbow tables and similar), that it is not random enough, that it is too simple etc.

It culminated yesterday, when the highly respected security expert, Steve Gibson of GRC, talked about it in his popular podcast “Security Now” – along with Leo Laporte.

You can watch the whole thing here: http://twit.tv/sn297 (video coming)

Note: I deeply respect Steve and Leo, and I frequently watch the podcasts, as well as many other shows on Twit.tv.

Steve basically said the same thing as many others. It can be hacked a lot faster. It is not random enough. it is too simple.

He is absolutely right and I agree with what he said. But, does that mean I am wrong? Well, no – not really. Let me explain.

You can always make a password more secure by adding complexity. But you will also very quickly reach a point in which it is no longer usable.

You cannot remember a password like “8dU2i2xs1*hT#4A9tccT.” And even if you could, it would be really annoying to type.

The time and agony involved in using that password would costs too much, compared to the low risk of using the much simpler “this is fun” (which is still 11 characters long and quite secure). Read more