What this means for you
The conclusion of the report is that there are effectively two kinds of passwords: those that can withstand one million guesses, and those that can withstand one hundred trillion guesses.
According to the researchers, passwords that sit between those two thresholds are more than you need to be resilient to an online attack but not enough to withstand an offline attack.
Users, they suggest, should shepherd their resources wisely and focus on high value sites.
User effort available for managing password portfolios is finite. Users should spend less effort on password management issues ... for don't-care and lower consequence accounts, allowing more effort on higher consequence accounts.
Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.
The password strength meters and policies provided by systems administrators don’t work and putting the burden on users by asking them to create passwords long enough to withstand offline attacks is wasted effort – they simply won’t do it in large enough numbers.
...attempts to get users to choose passwords that will resist offline guessing, e.g., by composition policies, advice and strength meters, must largely be judged failures...
Zero-user-burden mechanisms largely or entirely eliminating offline attacks exist, but are little-used...Demanding passwords that will withstand offline attack is a defense-in-depth approach necessary only when a site has failed both to protect the password file, and to detect the leak and respond suitably.
If systems administrators did all that properly, they say, then you and I could happily stay secure with nothing more than a short pin code for each website.
Unfortunately there’s no way for you to tell the good sites from the bad ones – do you know if the website you’ve just used stores its passwords in plain text or uses keyed hash functions? And if they told you, would you believe them?
As a user, the only part of a security system you know anything about for sure is the bit you create, namely your password. Your password choice might not strengthen a weak system but it can certainly weaken a strong one.