[jasonkester]

Complex password requirements lead to post-its on monitors in cubicles with passwords written on them. That's a much worse result than a weak password for pretty much any system that relies on passwords to stop bad things from happening.

For regular websites, generating monitor post-its is inexcusable. Let your users choose the letter "a" as their password if they want, but warn them about the implications. The only acceptable password workflow for a website is this:

  - Choose a password
  - complexity check
    - if failed, "Seriously?  That seems like a bad password" popup.
      - "Yes, seriously.  I don't really care if this account gets hacked 
        enough to memorize a complex password."
  - done.

I'd go as far as having banks do it this way. Anything to avoid having access to a $20k wire transfer be as simple as sitting down at somebody's desk when they're gone for the day and reading a post-it saying "BofA - wAffles$2".

[rdl]

This is horrible advice given the threat model for either normal home users (at risk due to mass attacks/brute force, or MAYBE losing a wallet/unlocked phone/laptop with keys saved locally) or most corporate environments.

The solution in both cases is a move toward single sign on, using a password manager or a key or 2fa or federated login system (Kerberos, FB connect).

Enforcing minimum complexity requirements (and policies like no username as password, etc) protects the user and site. If a site has 10% of users with trivial passwords, even if it is just a commenting section on a blog, the site itself is at risk. Combine this with the propensity of users to globally reuse passwords, and everyone is kind of doomed. Passwords must die, but requiring a minimum level of passwords, and encouraging people to use passwords as safely as possible as an interim measure, is the only reasonable course of action.

[gte910h]

Then measure actual entropy. Don't make me make a password that fits some weird ass hard to remember standard you dug up. Let me use "This rabbit killed the horse in cold blood, then drank all the pies" as a password if I want, it has more entropy than C@tV0m!t does.

[rdl]

The problem is it's hard to measure actual entropy. You can make a reasonable approximation (vs. a dictionary, and looking at the total character set) -- then, if you can, display the strength in some graphical way (ideally with a list of suggested rules which get checkmarked as the passphrase satisfies them). Still. "one TWO 3 +our" has less entropy than this would suggest.

I generally set an absolute minimum of 6-8 characters, not equal to username, site name, or a set of common passwords (including "password"). Sometimes require one (or two or three) of uppercase, number, or symbol for short passwords (i.e. stop requiring it if it is longer than 12 characters).

However, when a standard (or company policy) requires something like DIACAP, I'll enforce it in the pw creator. The absolute worst thing is when policy changes, and an allowed password becomes disallowed -- if it just expires and needs to be changed, that's one thing, but I've had sites where my long, special-case-laden passphrase worked in some login routines but didn't work in things like the password update routine (!!!).

For anything internal, I consider passwords basically unacceptable as an authentication mechanism alone; there must be PK or some kind of two factor auth.

[jrs235]

One must think who the most likely person would be that would a) want access and b) try to break in... is it an anonymous hacker across the internet or a co-worker trying to sabotage? This is why "post-it noting passwords" is bad. Most computers/systems don't really have information that hackers want, other than to zombie a machine. This isn't to say we shouldn't worry about exposing our computers with quickly cracked passwords, we should protect all vectors into our systems but realize forcing strong need to "post-it note passwords" drastically increases the likelihood of an internal rat/mole.