2010/6/29 erik quanstrom <quanstro@labs.coraid.com>:
I don't understand why modern security systems have an upper limit on passphrase length.
Because people can't remember passwords, and companies don't like
employing full-time password changers.
i don't understand this comment. the length of a password
is only vaguely related to memorability. long english phrases
are easy to remember. unfortunately, they are also easy to
harvest automaticly, so "four score and seven years ago" might
be a bad password.
The problem is two-fold:
a) Lay-people are told by all their "computer guru" friends to choose
a password that is difficult to guess. Add numbers, capital letters,
punctuation. Most people don't think in this sort of context, and it
is difficult to remember.
b) People don't regard the idea as particularly important. I know many
people who routinely forget 6-8 character passwords.