[drdaeman]

> After failure number 5 most systems just lock the account.

Which gives us a nice method of blocking someone from their account just by intentionally logging in with a wrong password 5 times.

Much better method is to require user to solve CAPTCHA (or, maybe, "hashcash"-type test, to perform some time-consuming computation) after 2nd wrong guess per hour.

> All the requirements on password complexity are sheer idiocy.

Not exactly all. Sane minimal requirements like "you password can't be your name or birth date (or both of them combined)" are perfectly fine. It's very sad how many people use their birth year (yeah, just 4 digits!) as a password. And this is not because they don't care about their accounts (they do), it's just because they just don't get how insecure it is.

Just don't overdo it with real idiocy like "your password must contain at least one digit". Hey, my password generator gave me "CEvbnofFqDKNdRsW", and this IS really secure enough.