“Fluffy is puffy” is a secure passphrase?

Yes, according to Danish blogger Baekdal. Check out Baekdal’s extremely widely-read “The usability of passwords“.

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

This approach to passphrases looks right to me, and timely — as today I wanted to change our Gmail passphrases, prompted by James Fallows’ recent experience. Most of our critical security codes are auto-generated pseudo random strings kept in 1Password. But for Gmail/Google account we need credentials we can remember. Similarly for the 1Password master passphrase.

I’ve not had time to research the Fallows Gmail issue. At first I thought he was misled by email-sender spoofing, but he says not. We’ll see. Hopefully Fallows has misdiagnosed his wife’s email issue and it proves not to be a compromised Gmail account. Or if it is, the fault is with a guessable password or similar.

See his first post on 31 April for a possible cause for his problem (taunting spammers).

If you wish to torture yourself with more commentary on password security, see How I’d Hack Your Weak Passwords and Allen Ludden never got cracked, where you can get right into the equations to compute how many centuries it will take to brute-force crack your new passphrase.