Password policies provide an interesting case study in the design of security procedures. Some say their days are numbered – that biometrics, smart-cards, and other such technologies, will replace them – but for some considerable time to come, organisations will control who can access their networks and IT systems, using usernames and passwords.
To be effective in security terms, a password must be remembered by its owner, but to all intents and purposes be a random jumble of characters to anyone else.
Unfortunately, people often choose passwords that are easy to remember – and are almost as easy for others to guess.
In January 2010, an unknown hacker stole a list of 32 million passwords from RockYou, an ...