Its not the difficulty (that is length, various enforcements against common dictionary words, mandated password change every few months or so) of password that matters. Its the users that do.
Users will always find a way to use a variation of 'password', like password1, or pass-word-1 or something like that.
The problem is that users just don't want/can't remember compex things.
Thus the real solution is to store full blown AES key in a disk and educate users to keep it safe.
Or even write a real random password on a piece of paper, but keep it not under the keyboard, but in their wallet
If you want some laughs, just look at this blog post that describes the various ways user create insecure passwords.
Slashdot Mirror
Its not the difficulty (that is length, various enforcements against common dictionary words, mandated password change every few months or so) of password that matters. Its the users that do. Users will always find a way to use a variation of 'password', like password1, or pass-word-1 or something like that. The problem is that users just don't want/can't remember compex things. Thus the real solution is to store full blown AES key in a disk and educate users to keep it safe. Or even write a real random password on a piece of paper, but keep it not under the keyboard, but in their wallet If you want some laughs, just look at this blog post that describes the various ways user create insecure passwords.