1) It gives the user a chance to have something memorable yet still hard to guess.

2) It means that if my most memorable phrase is “I am the g33kiest” I don’t have to try to squish it down into “img3kt” and then remember how I squished it.

Having said all that, it’s about time we gave up on passwords altogether, but sadly the alternatives are considered too complex for the average online banker.

Also, it is difficult to remember longer random passwords. 2jf9g! is a much stronger passwords than iloveyou or your phone number, despite the fact that your phone number is 10 digits long. If I was trying to hack your account it would be the first thing I would try.

Yes, ideally, you want your password to be longer AND hard to guess, but much of the time when people are forced to pick longer passwords they actually make the password easier to guess by using actual words or phone numbers, or some other kind of meaningful data. The very first thing a brute force attack will attempt is all the words in the dictionary, so ‘morphophonemic’ is a very poor password compared to ‘19dj^p’.

As far as them re-setting it to something simple, if they didn’t advise you to change it immediately, then that’s pretty poor security alright.

The bottom line with passwords schemes is this. The harder you make it to remember, the easier the end-user will try to make it to guess. Humans are lazy and don’t like to put huge amounts of effort into remembering things, forcing frequent password changes, or longer passwords rarely results in users actually choosing better passwords, it usually results in the exact opposite. At least that’s what I’ve seen.

It was a Jacobs.

That wee bugger just wouldn’t give up being flakey…

How I loved that cracker.

With a nice slice of mature cheddar…

He wished he had been more secure too.

Oh, that cracker.

*wanders off chuckling to self*