Strong Passwords Not As Good As You Think

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

Re:News at 11

[AmberBlackCat]

At the places I've worked, I bet you can reduce the brute force time from years to seconds if you know the names of everybody's kids and pets...

Re:News at 11

[CapnStank]

AmberBlackCat has it right. I worked in IT where there was 1 guy who COULDN'T understand password reset procedure. Down side was that he always demanded that it be reset to his name (maybe a 123 or something added) but nothing more. Just so happens that his name was also the name of the company. Need to guess the password? I'd say you'd have a harder time NOT guessing it.

And I don't blame him sometimes. He was 60+, computers were not his forte and he had to come up with a password that:
A) Expired every 45 days
B) Could not be manually reset to a password that's been used within the last 20 passwords
C) 8+ characters long
D) Numbers
E) Capitals

Hell, I got 3-4 passwords that don't expire on the same sync so I'm slowly losing my mind trying to remember them within the 3 try lockout period. Sure, I can unlock myself but its still crap trying to do it.