|
A basic dictionary attack will be detected within a few tries; it's not like the old days. If they're stealing the password file and attacking that, the solution is better system security, not weaker user security, and if they've got enough of a massively parallel system (or perhaps a botnet) to try every option against the hashes, requiring unmemorable characters in users' passwords will not make it measurably slower. A disturbingly common point of attack is stolen (or just lost) laptops with passwords on them. The world's most secure password doesn't do jack for a trojaned, stolen, or otherwise suborned computer. Making the users write their passwords down, or store them in their laptops, as Duncan says, is making the problem worse instead of better.
I did once have a nice consulting gig resetting an office manager's password every 90 days. He always ignored the "grace period" messages, then called in great distress when his old password didn't work anymore, giving me a nice drive and some free money for 5 minutes' work. Unfortunately, it wasn't long before they bought a system that didn't suck. I miss that one.
|