> At my company this typically results in users printing or writing the password down. I wonder if the guys who create these heuristics/recommendations ever had contact with humans.
While I absolutely understand your sentiment, I think you might be conflating extreme password requirements with reasonable password requirements.
The article linked suggests that a strong password is 10 characters (that's the whopper), and three of four complexity requirements (capital, special, number, lower). That's not unreasonable. In fact, the only really difficult part of that is the 10 characters bit.
Switch that to 8 characters and you're golden.
Even better, have a five minute lockout and/or email unlock functionality after, say, ten failed attempts -- and you're doing great.
I deal with web application security assessments on a daily basis, and the current status (as a general rule) is abysmal. Passwords won't fix most of those problems, but making sure that users can't set "password" as their password can at least improve one potential issue.
How about just measure entropy based on some criteria (using things from different sets MIGHT count as entropy for each new unique set) and letting the end user decide what goes in to the password and how long it is?
While I absolutely understand your sentiment, I think you might be conflating extreme password requirements with reasonable password requirements.
The article linked suggests that a strong password is 10 characters (that's the whopper), and three of four complexity requirements (capital, special, number, lower). That's not unreasonable. In fact, the only really difficult part of that is the 10 characters bit.
Switch that to 8 characters and you're golden.
Even better, have a five minute lockout and/or email unlock functionality after, say, ten failed attempts -- and you're doing great.
I deal with web application security assessments on a daily basis, and the current status (as a general rule) is abysmal. Passwords won't fix most of those problems, but making sure that users can't set "password" as their password can at least improve one potential issue.