Hello All,
My company just published a research whitepaper on the possibility of uncrackable passwords, and I'm trying to raise awareness on this issue.
It seems that now no one is safe online, and we're trying something more or less new in a novel approach to revamping the password model.

Although uncrackable passwords technically don't exist, it's possible to come real close: The Advent of Uncrackable Passwords

Feel free to share your comments below or at the link, we take all comments seriously, and would love to improve on this document.

I hope it helps,
CG

All passwords can be cracked in time no matter what they are. So changing the passwords every month helps protect systems/networks. The issue is users that possesses passwords that are easy to guess. Or users that can never remember their passwords.

^ out of curiosity: did you read it?
Because it addresses both these issues:

I read the whole thing, and it raises some interesting possibilities.

However:
If you're advising them to use this scheme, then really their passwords degenerate to a 9-character password from a 9-letter alphabet.
If the government reads your document, then they could brute-force your user's passwords using only 9^9 guesses, which isn't all that much.

To get the full benefit you'd need your users to use much longer unicode passwords, which would translate to far more than 9 digits for the user to remember.

Yeah, your definitely right there.
However, I most certainly am not advising using that... it's just a password easier than others..

at the same time, 745 896 123 123, all of a sudden its much harder to guess, and almost as easy to remember (look at the number pad, its geometric sequencing)

Your idea is basically to make passwords more complicated by increasing the possible number of characters. Assuming it's fairly straightforward to enter them. The problem there is that ultimately the speed and power of computers will catch up with you, no matter how many characters you use. If you've got really important data online, like a bank account, it's probably better not to have an online account at all.

Fact is: Average Joe is not willing to remember a password longer than a given number of characters. By having him have to remember three figures to enter a single character you will restrict the password length he is willing to use to something like 4-5 charachters. (12-15 keystrokes: that's actually already more than most people are willing to enter to start using a computer)
Your only protection is the fact that password cracking programms don't look for unicode symbols at the moment. They will should this method of generating passwords catch on. And then what?

In future schemes, passwords should be fully binary (generated randomly) and the user should specify the hexadecimal string (a 16-byte alphabet may be easier to remember) or encoded using Base-64 (64-byte alphabet). The latter is better as it has a ratio of 4:3 (hexadecimal would be 2:1).

As long as this remains the case a single unicode character is just as secure as a 100 of them

Given enough time, *any* password can be cracked.

I agree fully though with the OP's main point, which is to use strong passwords rather than lame, easily guessed PW's. Using special characters as a component of a more secure PW is a good idea, but may be beyond the average user's skills.

The article makes an excellent point though, and I support it fully

Meaningful passwords/passphrases make it simple for the user to remember but can still be quite secure. My private key passphrase is a phrase from a classical novel with a one letter mis-spelling that changes the meaning. I can rattle it off quickly on the keyboard, but it is long and no dictionary attack will ever find it. A brute force attack might, but the universe might end first.

My usual "password" is a string combination that includes numbers that have meaning to me, with interspersed text strings that have meaning to me. Since they have meaning, I can remember them without effort. I can also permute them many different ways. I have run crackers on my own passwords and have stopped them after a couple of days; seemed good enough.

It doesn't have to be difficult...just takes a bit of thought to come up with a system.

Thanks for the kind replys guys, much appreciated.
Any suggestions?