In the light of a new day I’m willing to accept that Ken wasn’t being disingenuous, he was just saving keystrokes as you suggest.
Jeff’s reasoning has everything to do with the crackability of the passwords, and nothing to do with the material being protected. As he details, even a 10-character password can be easily cracked in a few hours. If you have NSA-level resources, that’s probably true for any password.
So now we can consider the really interesting question, namely how much security is “enough”? To answer this question, we have to ask Bruce Schneier’s questions:
- how much is the data worth?
- what are the resources of the opponent?
- how long must it remain secure?
Given that forum membership is available for free with two minutes effort, I have to conclude that forum access is worth approximately nothing. By requiring long passwords, you’re protecting approximately nothing. So “enough” is very little indeed in the context of this forum.
The same is not true for the administrators and developers on the Glasswire server. Their passwords secure quite a bit of valuable data, including my forum password, and I like to think that they have good passwords. The bar is much higher for them.
I have nothing against people who pick long passwords, but I do have a problem with people who require that I do so. My security is my business, not yours. Anything mandated is for your benefit, not mine. If I want to leave my wallet and keys out on a park bench, that’s for me to decide, not you. A compromise of my forum password does not represent a risk for anybody else, so why should anybody else care whether my password is crackable in two seconds or two hours?
Yes, a longer password is more secure, but it’s also overkill for a forum password. If you like overkill, that’s fine, but there is no logical reason to impose it on other people.