Stronger passwords?

There’s a great article at Coding Horror that makes an interesting proposal for strengthening passwords: using pass-phrases rather than pass-words.

The idea is to use a phrase rather than a single word. For example, a worst-case scenario would be:

old password: password

new password: this is my password

Whilst I agree that a passphrase may be marginally stronger than a password, I still think they will suffer the same weakness: the user. User’s pick passwords that they can remember and these are nearly always weak - their dog’s name, their favourite book, etc. A phrase would be no different, people would use a quote from a film, a common saying or something else easily recognisable.

As stated in the comments of the Coding Horror post, the problem with passwords will always exist: a user needs to remember a password and because of that they will nearly always choose weak ones.