You have to be pragmatic with users and offer them a path of least resistance while implementing a greater level of security. I've only recently been able to get users to pay attention to why they need a password manager - the iCloud hack helped more in that than even Snowden did.
That path of least resistance right now, I find, is installing a password manager and securing it with a primary password that is generated from four or five dictionary words. Combine that with two-factor authentication for the most important accounts (Google Authenticator is surprisingly easy to teach people to use).
You find corner cases that cause problems: apps that don't support automatically having the password entered, or pasting the password in, mobile apps that become frustrating to enter long random passwords into so users just change them to something simple (including Apple ID's).
Four random words is beyond 'good enough' and far better than what most users are doing now. Rolling out and advocating new security measures is much about compromise and pragmatism. When somebody who is an ordinary computer users asks you what a good password technique is, do you spend 60 minutes explaining entropy and how people are bad at generating passwords (putting them to sleep), or do you just point them to a comic and one of the random xkcd password generators?
The iCloud hacks have done more for security awareness than what a million blog posts could ever have. It would be good to take advantage of it with a common approach rather than mixed signaling (I just know that at some point i'm going to hear someone say "but I saw something on hacker news about how those xkcd passwords aren't secure" - and I will have to take a deep breath).
Advocacy now could be focused on developers, where there is some catching up to do - a common protocol for password managers, allowing copy and paste, hooks in apps, agreeing on a set of weak passwords that should be not allowed (a lot of services already do this, most use top x from RockYou), removing those silly character restrictions (example: apple ID's can't be XKCD passwords since they enforce a capital letter and number), building password generating into more systems (based on an open spec - it should be an OS feature, not an app)
I agree with most of this. I do think it's worth stressing the point periodically that "random" in "four random words" needs to be "picked by a computer", not "picked arbitrarily by a human" - humans aren't nearly as good at randomness as we think, even when that's what we're trying for.
That path of least resistance right now, I find, is installing a password manager and securing it with a primary password that is generated from four or five dictionary words. Combine that with two-factor authentication for the most important accounts (Google Authenticator is surprisingly easy to teach people to use).
You find corner cases that cause problems: apps that don't support automatically having the password entered, or pasting the password in, mobile apps that become frustrating to enter long random passwords into so users just change them to something simple (including Apple ID's).
Four random words is beyond 'good enough' and far better than what most users are doing now. Rolling out and advocating new security measures is much about compromise and pragmatism. When somebody who is an ordinary computer users asks you what a good password technique is, do you spend 60 minutes explaining entropy and how people are bad at generating passwords (putting them to sleep), or do you just point them to a comic and one of the random xkcd password generators?
The iCloud hacks have done more for security awareness than what a million blog posts could ever have. It would be good to take advantage of it with a common approach rather than mixed signaling (I just know that at some point i'm going to hear someone say "but I saw something on hacker news about how those xkcd passwords aren't secure" - and I will have to take a deep breath).
Advocacy now could be focused on developers, where there is some catching up to do - a common protocol for password managers, allowing copy and paste, hooks in apps, agreeing on a set of weak passwords that should be not allowed (a lot of services already do this, most use top x from RockYou), removing those silly character restrictions (example: apple ID's can't be XKCD passwords since they enforce a capital letter and number), building password generating into more systems (based on an open spec - it should be an OS feature, not an app)