rjoc04679

[Sid Schweiger]

"It would, however, be stronger if it contained no words that were vulnerable to a dictionary attack.  "NSzYAYh-40%PYICi&2" is much stronger, as it contains no dictionary words and incorporates three non-alpha-numeric characters (-, % and &) instead of one (-) repeated three times."

A nice idea, but in practice maybe not so much.  The problem is that passwords have to be used by people, not machines, and a password that bears no resemblance whatsoever to anything in human experience is going to be either forgotten regularly or written down and posted on the user's monitor, which is the same as having no password at all.  From an admin's POV, setting too strict a password policy leads to workarounds which inevitably end up compromising the very security passwords were intended to protect.

Sid Schweiger
IT Manager, Entercom New England
20 Guest St / 3d Floor
Brighton MA  02135-2040