Passphrases in the style of XKCD 936 or Diceware have gained popularity, but are they secure enough and practical to use? They seem like a good compromise between security and memorability, but why did Bruce Schneier say using them is "no longer good advice"? This session investigates popular password generation schemes, and examines the characteristics that determine the passphrase strength. We will also review whether the average person finds these passphrases easier to use than passwords, and if they're practical to use in most cases.
Bruce, aka PwdRsch, is the founder of PasswordResearch.com. He aims to introduce more professionals to new and existing authentication research, so they can better justify secure systems design and policy choices. He has previously presented at Black Hat, SANS, and InfoSec World conferences.