In the real world though, passwords aren't cracked nearly as often as they're read off a post-it note stuck to somebody's monitor.
Loosen complexity and you can eliminate that post-it. That's a huge overall win.
Complexity in itself isn't actually that bad. It's arbitrary complexity that spawns all those post-its. You can come up with a strong password that you and only you can remember, but it's useless if your bank rejects it due to its own silly complexity policy. There are sites out there that I regularly fail to log in with using my standard "strong" passwords, and it's not until I make it all the way through the Reset Password process to where it tells me its complexity requirement that I'm reminded which password I must have used last time I went through the process.
The only real solution is to let people use the word "password" if they really want. It's still orders of magnitude safer than having them keep a file/email/post-it full of plain text passwords sitting around in plain view.
Fully agree with the first post-it point, but I disagree with:
> The only real solution is to let people use the word "password" if they really want. It's still orders of magnitude safer than having them keep a file/email/post-it full of plain text passwords sitting around in plain view.
If I have "password" as password for my work webmail/remote login, it can be broken by any yokel on the internet with five minutes free time. If I have "ge.9u30!ey0" written on a post-it note on my desk, it can only be "cracked" people with physical access to my office.
Also note that people who have physical access to my office already have security privileges similar to mine own, mitigating the actual risk - they can't do much more damage with my password than they could without. And if they wanted my private stuff, they could just as well nab my harddisk.
Not that I'm justifying passwords on post-its in any means whatsoever, by the way. :-)
Loosen complexity and you can eliminate that post-it. That's a huge overall win.
Complexity in itself isn't actually that bad. It's arbitrary complexity that spawns all those post-its. You can come up with a strong password that you and only you can remember, but it's useless if your bank rejects it due to its own silly complexity policy. There are sites out there that I regularly fail to log in with using my standard "strong" passwords, and it's not until I make it all the way through the Reset Password process to where it tells me its complexity requirement that I'm reminded which password I must have used last time I went through the process.
The only real solution is to let people use the word "password" if they really want. It's still orders of magnitude safer than having them keep a file/email/post-it full of plain text passwords sitting around in plain view.