I’m sure we’ve all heard that Bill Burr, the man who wrote the book on password management while working at NIST, has changed his mind about the password guidelines that he devised. “Much of what I did I now regret,” Burr, who is now retired, told the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” http://www.telegraph.co.uk/technology/2017/08/08/man-wrote-password-bible-admits-advice-completely-wrong/
It seems to me that one crucial factor that is usually ignored when discussing passwords is that how strong a password needs to be depends on whether it will be subjected to an on-line or an off-line attack. If you are attempting to break in to a website by using someone else’s account, and you know their username but not their password, you’ll only get, say, five or 10 attempts to guess it before the system will lock you out. So it really doesn’t matter whether the number of possible passwords is a million or a billion because you’ll only get the opportunity to try a handful of them. That’s what I mean by an on-line attack, and in those circumstances I’d argue that you don’t need a massively long or complex password – just one that’s long enough to prevent it being guessed within a modest number of attempts.
By contrast, what if an attacker has access to someone’s encrypted hard drive or encrypted password vault? Then they can subject it to an off-line attack. Nothing is going to stop them from trying password after password after password: the only limitation is how much time and computing power they have available. So to resist an off-line attack like this you really do need a strong password.
The distinction between these two types of possible attacks seems to be overlooked when discussing the subject: we all know that passwords are a pain in the neck, so let’s make sure that we don’t cause any more pain with our password rules than is absolutely necessary.