A bit of a tangent here - but many password policies in companies these days have exactly the opposite effect of what they set out to do. In theory they might produce the most secure passwords on the planet, but it's how people implement these policies that's often their downfall.
Take the classic "change your password every 28 days" example. This is forced upon you by most companies I've seen, the idea being that if anyone does find out your password they only have a shortened time window in which to do anything. In practice though, this backfires for a few reasons:
- People can't, and won't, think up different unique passwords for each month. It'll generally be something like pass, pass01, pass02, pass03 and so on. Which pretty much invalidates the whole policy (if you find out a password and it's pass05, it's not too hard to guess what the next one might be!)
- The people that do create unique passwords will likely write them down somewhere on their desk to remember them - this undermines pretty much everything if they're found by a casual passer by!
- However short the time window is for an attacker to work, they can most likely still do all the damage and retrieve all the data they like given a day or 2. So unless you make people change their password every day, this policy is pretty useless anyway.
Another point - it's true that non-alphanumeric characters and a mix of non-dictionary words make a strong password. But in practice this usually makes next-to-no difference. How come? Well, if you think about it there's a number of ways an attacker could break a password:
- He could use social engineering techniques to make a good guess at what it is
- He can find it stored somewhere unencrypted (or stored using a weak encryption algorithm)
- He could find a way to delete it and create a new one
- He could brute force it by trying every combination against a hash until he finds the right one.
Now, I'm willing to bet most passwords compromised are in the first category, and the next two also play a relatively decent role. But the chances of an attacker finding out a password via brute forcing it are pretty much 0, and unless your account is of some considerable value most won't bother. Obviously don't use dictionary passwords because they're really easy to break (they go into the second category more than the fourth.) But even using numbers is secure enough for most purposes.
I'm not trying to downplay security here at all, it's important and it's something we should all be taking note of. What I am trying to highlight is the biggest weakness - humans. It's all very well having these amazingly secure encryption algorithms, but if from a human level people take steps to circumvent them (intentionally or otherwise) then the whole thing is blown wide open. The most secure password in the world written down on a desk somewhere can suddenly become the least...