So with all this talk about passwords and passphrases the only thing that everyone agrees on regardless of how it gets done is that “passwords” if you will, need to be better, stronger, longer, more complex, etc.
Assume end-users will ALWAYS do the least they have to.
Every password is crackable. The question is how long it takes to crack the password. If you want short passwords, require users to change them every 2 weeks and see how they will like that. I guess they would much rather change a 30-40 character password once every 3 months than a 6-8 character password with non-standard char. every 2-4 weeks.
This is how I approach this problem with my users.
Since when did any end-user have the power to control what the length of their password should be, or trust an end-user to have security on their mind? If this is a work environment and the breech of that password can cause loss of company data it is the job of the administrators of that network to make security a top priority. Users don’t get an option, they do what they are told to do. If you don’t like it, work somewhere else. To prove that you’re serious you check to make sure users are following the procedures. Show up on site and check for post-it notes, make sure users know that you check on them and that there are serious consequences to not complying with the policy, and follow thru with the punishment if there are. If you have IT administrators and CEO’s complaining about the security measures they should not be employed by your company or you need to find a company where the executives and IT staff understand. After all they do not have the best interests of the company in mind if they are willing to put their information at risk.
From the standpoint of access to internetbanking sites and personal information it’s the users responsibility to have security in mind for their information. If they choose to have a bad password it’s their own problem, after all if their own information gets compromised they are the ones that are affected not your company. This will certainly force users to think more about security. Should companies be resposible for doing some educating to their end users, absolutely no doubt about it, but in the end it’s under the end users control.
Here is another thought. I understand that this is more of a discussion regarding passwords and passphrases but most hackers need to get past perimiter defenses before having access to the general “users” accounts. These perimiter defenses should be secured with massive complex passwords that are not passphrases, and methods to detect and stop these types of attacks. If a hacker does get past the perimiter you will most likely have more problems than just users passwords.
If you are still worried about passwords getting cracked your only option is to layer the security so if someone wants to hack your systems it takes them so long they would much rather bother the people that haven’t changed.
I’m not a security expert by any means, just an administrator who has the companies best interests and security to worry about. This is a simplistic look at something that is far more complex, with the hashing and how passwords are cracked but if the risk is mitigated to the point where the password would be changed before a feasable attempt at cracking it there is not much else you can do with strictly passwords.