While setting up login credentials that would be used to have a script on one machine talk to a remote machine, I had an epiphany. There are two types of passwords: the ones you have to remember and type often, and the ones you don’t.
I’d add a third category, really: the ones you occasionally have to type but ought to know. I let Firefox and Thunderbird remember most of my passwords, but need to remember them since I’m not always using this computer. And then there are ones I use every day that aren’t remembered, so I know them by heart.
But there’s that last category: the passwords you don’t have to remember. They’re either just hardcoded into a script somewhere, or they’re set and utterly forgotten. And here’s the point of all my babbling: if you don’t ever have to remember the password, why is it the least bit guessable? If I was setting up an account to be shared between several coworkers, “s3cr3t” might be cute. But no human will ever type the passwords I’ve been setting, so why not use 30 characters of banging on the keyboard with mixed-case, numbers, and symbols galore?
But going a step further, a lot of things, like my bank login, are things that (1) Firefox usually remembers, and (2) I can have e-mailed to me if I forget them. Why not do the same there?
And an obligatory shout-out of shame to American Express, which still prohibits their customers from setting passwords longer than 8 characters. Seriously, guys, that would have been lame in 1997.