Joose wrote:=72B#4q{.VYZ(HG(Rv=23s?Mnur:28Uh*s;rj*4oXZ9h[#<trh
I would love to always have passwords like that and for copy-paste to be the ubiquitous method by which I could input them. But in my work (which is with all sorts of customers, with all sorts of complifangled security edicts they must adhere to) I've found there's
always that one time where you have to actually fucking type the bastard.
Like when you're TeamViewering a Remote Desktop of a Logmein connection through a VPN to a VNC connection, or more simply you don't have direct access and have to tell someone else what to type. Even much simpler supposedly 'just mstsc' connections are sometimes CTRL+V-blocked, so I just gnash my teeth and avoid anything too strenuous to replicate. *nix passwords pretty much always need to be typed.
Techincally you only need to include a few 'odd' characters to create a password as strong as your example, ie: "Hereismyreallyeasytoguesspasswordwithacoupleofcurlybrackets{}andthreestars***init" which is still no fun to type, but at least can be recalled. We used to use some famous, near-but-not-quite-correctly punctuated quotes from Star Wars as our master passwords at the university, and they became surprisingly easy to type after time - you only had to remember the phrase and the one-or-two crucial typos.
Security purists would say that if the password touches your clipboard, then all security is lost - "copy pasta is
sicurezza perduta" (I made that up) with arguably less/equivalent security than the password being visible on your screen. Security purists also claim the only safe machine is one that has never been connected to a network, is switched off, broken and buried under 30ft of concrete so there's only so far you can take it.
It depends largely on trust. I still cringe and stop customers saying their passwords out loud, when I know what they are and just want confirmation of a few letters that I'm looking at the right one, but a lot of what makes the security guys cringe themselves is where untrusted or random employees
could gain access to an unprotected list of user passwords. That seems more of an HR issue to me - don't hire or give any access to people you don't trust. Tesco got a beasting recently as their password reminders were being sent out in plain text, but can one really expect the average shopper to have to decode a hashtagged keycode signature via a web-based form when they can just create new account or register instead with Sainsbury's?
In my experience at least, the biggest threats aren't from overheard passwords, or even lists posted on the internet - it's from people using the exact same username/password combination on other, unhacked but more crucial sites where proper cash is involved. Even though the bots can try trillions of combinations a second, they still seem to rely mostly on these stolen lists, and adding even just one regular, random character to your stock password would keep them busy guessing for centuries, because they get enough good hits from everyone else's unchanged combinations to discard and not bother trying to decode your slightly modifed one - as for all they know you could have changed it to a monstrously complex one.
Doesn't mean they won't try in the future though, if they but looked at the XKCD comic on easily-computer-guessable passwords and applied it to their existing lists, then a lot of stuff would be compromised - but then maybe that's like spammers learning to spell or being able to string a sentence together.
