[skizm]

Actually this kind of gives me an idea: what if modern systems decided to just tell people they can't use "p" so that people stop using the word "password" or variants as their password.

Hell, for that matter, tell users they can't use vowels so they can't make words. They might do leet speak, or whatever which is pretty easy to crack given time, but it stops things like password re-use attacks (people less likely to have the same password as their other apps) and simple guessing attacks (try top 3 most popular passwords on all known emails/accounts).

For such a simple rule set (no vowels) it forces a decent level of password complexity.

[zhte415]

You've reminded me of something I found interesting regarding passwords in China. Often, faced with minimum password standards, a user will choose the first Romanised (Pinyin - used for keyboard input as well as phoneticisation) letter of a word in a phrase, an example being 我看懂中文你呢？ which is Romanised as 'wo neng kan dong zhong wen ni ne?' or to take the first letter of each word 'wnkdzwnn?' (This phrase, meaning 'I can read Chinese, can you?' a somewhat unlikely candidate for usage).

I doubt the security, given the prevalence of z, w, n, etc that occurs in Chinese (Mandarin) words (and likewise in other languages), doubly so because of common phrases that a lot of people would likely pick, and would heed against such a policy.

[xiaq]

You missed a 能 after 我.

[zhte415]

Yeah, saw that but couldn't edit any longer. Oh well... IBus was not to blame this time.

[tokenizerrr]

Correct Horse Battery Staple[1] is a good example of a good password with high entropy, bzzl123 is not. Something like that would surely do more harm than good.

http://xkcd.com/936/

[dredmorbius]

Better to simply utilize one of the many, many, many, many, many lists of most frequently used passwords.

There are lists extending to the tens of thousands if not millions, but simply forbidding the 10 or 100 most frequent combinations would be a huge win. Using full lists as available would be great -- and is actually what password security should be based around. A known password is a bad password.

Don't get me started on PINs.

[barsonme]

One issue for IT is having employees write down their passwords. I can imagine something like this would have the same effect and probably decrease security somewhat. Although, take what I say with a grain of salt. I'm not sure how prevalent having your passwords physically stolen outside of a closed environment like a workplace is.

There are a lot more variables at a job than at my house in my locked drawer.

[avelis]

From a usability standpoint I would say it is easier to advise the user that using a commonly used password is a bad idea. Suggest alternatives but ultimately it is their choice.

[daviding]

psswrd123

[stephengillie]

assword123

[vacri]

Looking through old scripts, you'll sometimes see a matching query for "sername", so you get both Username and username (pseudo case-insensitive) and there's usually a second matching query for... "ssword", because removing "P" gives you "assword", which clearly is improper to put in a script! Harrumph!

[DonHopkins]

Sounds like that script has a back door.