A word on security

...and that word is, of course, stupid.

I saw some comments on the page that adequately express what an utterly retarded concept this is. The gist: existing passwords are insecure because you can pre-compute values such that breaking a password amounts to doing a lookup in a big database, and that can be done within seconds.. (this is true). The "solution" is to use passphrases. (this is dumb). The argument goes: well, passphrases are much easier to remember, but they're like often 20 to 30 characters long, and it would take forever to crack something that long! Except, you're still assuming that the crack would have to guess all the letters in your password individually. Not true. Even a dumb attacker is going to precompute based on different dictionary words thrown together, and an intelligent attacker is simply going to carry around a Bartlett's quotations instead of a dictionary. The space of memorable quotes is far, far smaller than the string of potentially random letters in a 10-character password. Smartcards are the only reasonable way to do this.

A note on the issue for the less than technical:
How do passwords work? Why do us CS nerd types get a warm fuzzy feeling from passwords that our data is secure. Well, Virginia, what generally happens when you type a password into your computer on your keyboard is that the computer utters a few magic words while in solemn concentration over your secret password and transforms it into a concealed form. Less metaphorically, it computes a cryptographic hash function on your password. The nice property of such a hash function is that after it's done, the output looks pretty much nothing like the stuff you typed in, and it is provable by the dark mages of theory that there's no "easy" way for anyone to compute the reverse (i.e., the hash value back to your password). Such magic wands are called "one-way functions", because you can use such a wand to turn a password into its hash, but you can't do the reverse. So, we can verify that you're typing the right password by hashing it as we did before and comparing it to the original hash. If they match, you gave us the right password. If not, quit trying to steal my shit.

So, as someone who is trying to game the system, you're left with by "brute force" picking random passwords and seeing if they work. This is not so much impossible as it is hard and requires way more time than anyone wants to spend on it. But it turns out that for the password lengths anyone bothers to use, it's fairly easy to pre-compute all such hashes of every password you might possibly be inclined to use, store it on a disc, and then carry it with you in your encryption-breaking shenanigans. Now, you have to actually get a hold of the hash you want to find a password for, which is why they mention watching network traffic go over the wire. Once you have such a thing, voila! Your password is done broke.