On 07/05/07, David Gerard <dgerard(a)gmail.com> wrote:
Normal people just *don't understand* passwords.
I used to do dial-up Internet tech support. "What do you want for a
password?" "Oh, [username]." "I'm sorry, you can't have it be
the
same." "Oh, [username]1."
Sounds like your old dial-up company didn't understand passwords
either - how difficult is it to implement a system which doesn't
involve everyone telling tech support their password?
Suggestions? Assume we can't require an RSA keyfob
for all editors.
It's not unusual to have a set of rules passwords have to satisfy that
are checked whenever an account is made or the password changed. It
doesn't take much to stop the "low hanging fruit" of bad passwords
(just require a certain length and require at least one letter and at
least one number - dictionary searches are good too, but not as easy).