Sunbeltblog comments
Don't you mean to say "...strong passwords shouldn't be real words at all..."?
Quoting from your 4th paragraph: "In fact, strong passwords should be real words at all, since the bad guys have software that can quickly try random words from the dictionary."
I completely agree. Why force strong pw policies on users...only to drive them to write them down and keep them hidden under their keyboards?
If you are going to enforce strong pw requirements...then encourage users by providing them effective tool(s) to securely manage them -- a secure single-signon network tool, or a password keeper application.
Or compartmentalize your pw requirements..."low/no" risk accesses can have more simplified pw requirements for users...while "high/critical" risk accesses require the highest pw rule-compliance settings.
Plus....it's also workload-heck on the help desk staff having to manage and reset all these pw's for the users who can't remember them!
I'm a glutton for a security enforcement culture in IT, but even the best practices can be undermined when failed to be accepted by the end-user culture which has to use them.
Sorry, that was a typo. It's fixed.
The problem with security concerns is that there is no stopping the build up of hype and fear.
If we take your house comparison....the security paranoid if they had a house, would probably lock and bar themselves within their house to ensure that they were never burgled. That is basically what lots of super security conscious people are doing....rather than say making sure the windows are locked, the door is closed and got a good lock on it.
In the end, if you go overboard you may as well just do the ultimate in security - unplug your internet connection.
On passwords, changing passwords every 2 weeks is crazy. It makes no sense whatsoever...I would HOPE that if there were perpetual failed logins to a machine in a network, then the administrator would have been sent that information. ie logging it in.
Why don't deploy two factor password generating hardware tokens like SecurID (RSA) or Safeword (Securecomputing).
So you don't reley only on (weak) passwords but also on hardware generated passwords, only valid for a minute. After this time the password is invalid and a new one is generated by the token.
But I think "passwords" are only an example for Securanoia 
Bruce Schneier just posted a technical essay on this same topic.
Choosing Secure Passwords
It was pretty good reading--especially in context information on how password breaking software works.
Before I say my piece, I will confess overall ignorance to Micorsoft's Active Directory services, and only use it in a limited capacity. Not that I need it most of the time...
That aside...
I understand things like your Outlook PST file can be offline hacked. I will be addressing online hacks, so if I'm going off topic I apologize in advance.
We support a number of Novell shops. Something Novell has had around for decades (long before it became popular on secure web sites) is the "intruder lockout" feature. We typically have it set to 3 guesses, and you're locked out - for a month. Even if you guess the right password after lockout, you get back the "account locked" message.
Also, unlike MS Systems where various hacks have been known to access the password file on the server (and thus allow for offline password cracking), I have yet to find such an animal for Novell. This is despite the fact that Novell's eDirectory (formerly known as NDS and around many years before MS Active Directory) can be installed and used not only on legacy Netware systems but also many current Linux servers as well as MS Windows server flavors. To evaluate, go here: http://www.novell.com/products/
e...evaluation.html
I'm sure as more people use it, some hacks may surface. However, one thing I admire about Novell is they still provide support for some ancient systems such as Netware 5.1 - around since 1996. Try getting any (non-online) support from Microsoft on Windows NT 4.0 lately?
Hey Alex - any of your products run on Suse Linux?
Not much Linux support here, although our gateway version of CounterSpy runs on Linux (for scanning spyware at the gateway).
Unfortunately, these are the exceptions not the rules. Most of us in the Network Security arena understand the difficulties trying to remember very complex passwords (more than 8 characters long) and try our best not to be as anal as the guy with the 14 character length passwords that changed every two weeks. This is definitely overkill.
My question is how did this person get this past his boss or is his boss one of these types that does whatever the Network Security guy says? Whatever the case, it's not a pretty picture and I am glad I am not working there.
Commenting by HaloScan
