This blog post continues the same pattern I've seen repeated since the beginning:
- Shame existing password validators
- Suggest yet another password validator
The solution to this problem eludes most people, because most people have a propensity to babysit others. The solution is to stop validating passwords altogether. If we stop babysitting people and allow the natural economics of the situation to govern it, we'll begin to see more people educated in the science of creating good passwords.
The natural response to this is probably something like,
That's great and all, but we can't afford to let people lose their bank accounts and livelihoods based on some libertarian idealism.
to which the natural response is,
A) People already are losing their things, since as we've determined time and time again, password validators are only relevant until they aren't, and B) most people lose their accounts because of social engineering, not because of data leaks and then subsequent password guessing (and especially not because of simple password guessing, since CAPTCHAs handle that).