
A Strong Password Isn’t the Strongest Security - ez77
http://www.nytimes.com/2010/09/05/business/05digi.html?_r=1&hpw
======
teilo
If you make user jump through hoops when creating passwords, the users will
inevitably employ very insecure methods to remember the passwords, like
writing them down on a post-it note and sticking it to their monitor.

Force them to change it often? They will take your rule about using numbers,
and just serialize their password: same password, incremented every time they
are forced to change.

But in the end you are still better off, even if they do this. You may not
solve the problem of local security (witness the post-it notes), but at least
you won't have people hacking into your SMTP server and using it to relay
spam, because someone used their First Name as a password.

