Devon H. O'Dell wrote: > 2010/6/29 erik quanstrom : > >>>> I don't understand why modern security systems have an upper limit on passphrase length. >>>> >>> Because people can't remember passwords, and companies don't like >>> employing full-time password changers. >>> >> i don't understand this comment. the length of a password >> is only vaguely related to memorability. long english phrases >> are easy to remember. unfortunately, they are also easy to >> harvest automaticly, so "four score and seven years ago" might >> be a bad password. >> > > The problem is two-fold: > > a) Lay-people are told by all their "computer guru" friends to choose > a password that is difficult to guess. Add numbers, capital letters, > punctuation. Most people don't think in this sort of context, and it > is difficult to remember. > > b) People don't regard the idea as particularly important. I know many > people who routinely forget 6-8 character passwords. > Many banks still use 4 digit PINs on their ATM cards, without problem. Possession is a very important factor. The token that will prevail of course is the phone - even though it denies relying parties the billboard value of a card. Now, will developers be smart enough to isolate the private key from the phone's porous OS? The jury is out on that. wk -- Learn about The Authenticity Economy at http://video.google.com/videoplay?docid=-1419344994607129684&hl=en#