Craig White wrote:
it's actually the fault of the admins who don't use any password
checking mechanisms, but I suppose that it's more feasible to blame
stupid users...of course, I would never do such a thing ;-)
There is quite a deal of well-reasoned debate about what constitutes a
good password.
First, one needs to be able to remember it without writing it down. This
meets Windows AD complexity requirements,
10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
but I defy anyone to remember it any time soon!
"bismcoles" would probably be easy for Bill Smith to remember, and would
certainly defy any dictionary attack. As would "bluewatermelon."
The expect package has a password generator that creates passwords like
this, but again they're hard to remember: "et3tUfGd."
A reasonable security system would shut down the login process for a
time after some number of consecutive failed login attempts. It's a rule
that's been around for a long time, it's even in Linux, but implemented
poorly.
