On 2007/09/10 18:29, jul wrote: > * if too much restrictions on passphrase, they will go on post-it, PDA > or else which are, in general, less secure.
Depends on the threat model, but that is often safer than a weak memorised password. How about this as a better alternative: write down a strong password fragment, and add something more easily memorable. Then use the two parts together as the actual password. But then, key-loggers change the game a lot. Regular password changes or OTP are a big help there.
