Password policies provide an interesting case study in the design of security procedures. Some say their days are numbered – that biometrics, smart-cards, and other such technologies, will replace them – but for some considerable time to come, organisations will control who can access their networks and IT systems, using usernames and passwords.

To be effective in security terms, a password must be remembered by its owner, but to all intents and purposes be a random jumble of characters to anyone else.

Unfortunately, people often choose passwords that are easy to remember – and are almost as easy for others to guess.

In January 2010, an unknown hacker stole a list of 32 million passwords from RockYou, an ...

Get Security: The Human Factor now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.