In Grimes' own words:
For the record, I know complexity makes a stronger password, but my assertion is that length is just as valuable (especially if complexity cannot be guaranteed, which it can't in most cases)... especially if passphrase cracking software isn't widely available (which it isn't).
This is a big deal to security-oriented folk because it provides fodder for food fights. More important, however, is that if Grimes's assertion proves correct, more people would use stronger passwords than they do today because the passwords could be made of familiar words rather than hard-to-memorize random gibberish. The degree of difficulty in creating and remembering passwords is probably the biggest barrier to strong password usage.
Traditional thinking has been that adding complexity -- using both upper and lowercase letters, and adding numerals as well -- is the best way to create strong passwords. The problem with complexity is that it makes passwords difficult to remember as well as difficult to crack.
Less complex passwords -- the use of names or words -- has been discouraged because they are subject to dictionary attacks, which can crack them in seconds. With length, however, passphrases can replace passwords, and common words or not, there are no dictionary attacks against phrases, so passphrases like "theraininSpain" or "arosebyanyothername" offer considerable strength based on their length but remain easy to remember.
The first challenge is as follows:
Challenge #1 (Complexity at 10 characters) for the first person to email
me (Grimes) the plaintext equivalent to the following NT hashes:
Easiest Challenge: 0570B4C2CC734E230DE9B67C868FAE04
Clues Normal Password Cracker Would Not Have:
1. It's 10 characters long exactly
2. Contains no words contained in the English dictionary, but is based
upon two words that have been "license-plated" (i.e. hybrid attack is
3. Moderate complexity, but nothing beyond alpha letters and numbers.