We have all heard the yada yada, don't use a birthday, mix upper and lower case, change your password often, longer is better etc etc.... well human nature makes all of that pure bull shit.
I worked in computer support at many and varied companies and govt organisations, no matter what the password policy was it was always defeated by the post-it note on the monitor. The more complex the system forced the password to be the greater number of post-it notes your saw hanging off monitors.
The greatest threat to security is not some hacker harnessing the processing power of 10,000 PC's across the world to brute force crack your password, it's anyone walking through the office area taking a peak at the post-it note.
I have 2 passwords I use, one is for my banking login the other is for everything else, forums, ipernity, e-mail, web site adnministration, Instant Messenger networks..... everything. Do you think I have either of these written down anywhere? No of course not, they are ingrained into the fibres of my brain. They are both 6 characters and both contain letters and numbers.
I hate it when you register at a site and they think they are supper duper secure because they are forcing you to pick a password that:
- Is 16 characters long
- Does not contain any letters of your name
- Does not contain any letters of your cats name
- When the letters are converted to numbers and added together it is a prime number.
- When the password is hashed it does not have any letters in your name.
Guess what Aussie Mastercard because of your stupid password policy we can't use our normal password and we will have to write it down somewhere as soon as the account is unlocked and the password reset. Anyone that wants will be able to look at what we wrote down and get into our account but there is no other way except get them to reset the password every time we want to login.
That's the difference between being 'technically' a better password policy and 'pracitcally' being pathetic.