I take the view that a lot of password cracking tools are quite limited in the size of the password they will handle.
There is also the question of how long someone will continue to attempt a crack.
I generally recommend that newbies (or anyone else for that matter) use a "core password" and just expand it with some easily remembered characters something like this:
It is funny that you should mention that, as 90% of the installations I have worked on require that every 90 days all passwords will be changed. And it's tough enough to get that 'core' password to flow from your fingertips so everyone just adds a bit to the front and back ....
Very useful technique ;)
But, there are some 'evil' systems that 'know' what you're doing and state that this password is too similar to the old one. Grr.
i do not understand the concern over password complexity. according to my math if i extract my password randomly from the alphanumeric set plus the shifted numerics i will only need a password four entities long to satisfy the ansi x9.9 standard which states that the odds of guessing an authentication response must be no greater than one in 1'000'000.
abcdefghijklmnopqrstuvwxyz + 0123456789 + !@#$%^&*()
yields 46 entities. a four entity password would contain 46^4 | 4'477'456 possible passwords.
given the normal three attempts before lockout policy featured by security minded organizations this number is divided by three for odds of one in 1'492'485. to reset the lookout the user must enter the correct authentication response twice consecutively. the first time will error as normal and quietly unlock the account. the user will then be notified of the login failures and can respond appropriately.
considering that password hashes are plaintext equivalent the cracking argument is not valid either never mind the fact that very privileged access must already be acquired to access the hashes in the first place.
passwords face five discrete threats.[list=1][*]guessing (resolved by a four entity password as shown above.)[*]brute force (resolved by limiting the attempts.)[*]perception management (still an unresolved issue not effected by password complexity.)[*]recording (resolved by ensuring system and channel integrity.)[*]emanations (resolved by ensuring environmental integrity.)[/list=1]mandating long or complex authentication responses does little to increase trustworthiness while increasing the occurrence of users handling passwords inappropriately and decreasing administrative vigilance to invalid authentication attempts.
Something like This ?
I guess that catch is right........ it depends on the attack vector?
Three shots and you're out, is different from a hash download and all the time in the World?