John Hascall writes:

> Fact is, no matter what your passwords rules are,
> half the people or more will choose the weakest
> password allowed. If we added lifetime I'm sure
> we'd just see 50% or our users change and change
> back. if we added history, 50% or more would just
> do aaaaaaa1 aaaaaaa2 aaaaaaa3 ...


Those sorts of passwords are trivial to reject with password strength
checking that does something more than just password length restrictions,
such as run the password through cracklib.

People do pick the weakest passwords allowed, so the weakest passwords
allowed should be stronger than what a brute force dictionary search can
find.

> I strongly suspect that the more onerous the rules,
> the higher the percentage doing stuff like this.
> And then we get into sticky notes...


Sticky notes are *great* for the average user. I would strongly encourage
people to come up with a difficult and complex password, write it down on
a sticky note, and put it in their wallet, right next to their credit
card, driver's license, and other things that they already know how to
keep secure. Writing the password down converts the vulnerability to one
requiring physical presence, which is *way* easier to defend against in
general.

Think of it this way: an impossible-to-remember password on a sticky note
in their wallet is sort of like the poor-man's smart card for when you
don't yet have the infrastructure to do real smart cards.

--
Russ Allbery (rra@stanford.edu)