Comment Re:Users are *bad* at choosing passwords (Score 1) 159
Passphrases *can* be done securely; most people won't. They will concatenate simple words, which means if I have a dictionary of, say, the top 1,000 words, it's still reasonably feasible to crack.
For instance, here are some long passphrase-like passwords that I cracked from the LinkedIn debacle. They used plain MD5 as the hash, which admittedly helps cracking a lot. I haven't tried the depleted hash list in a long time, but I'm willing to bet with advances in both OCLHashcat and my own skills, I could get quite a bit more.
24 sociological imagination
24 linkedinlinkedinlinkedin
23 newlinkedinpassword1234
22 harekrishnaharekrishna
21 networknetworknetwork
21 managerialeconomics23
20 vaffanculovaffanculo
20 serafimovaserafimova
20 Restoration Hardware
20 powerpowerpowerpower
20 keepitrealkeepitreal
20 kazakhstankazakhstan
20 internationalnetwork
20 crisscrossapplesauce
At the end of the day, there's just no substitute for a long random password.