Password Insanity
Jeremy Zawodny's post about ADT's password policy had me wondering if this actually reduces the security of a password. It certainly reduces the solution space for a brute-force crack over a solution space where a password could 8-15 alphanumeric characters. But as any good cracker knows, passwords tend to be susceptible to dictionary attacks, hence the rules ADT has implemented. So, in theory, ADT is forcing crackers back on a brute-force attack. But I'm guessing that this pushes users to certain patterns: for example, I wonder how many users use something like Yahoo!2006 for a password - if the requirement is to change every 90 days, then Yahoo!Feb2006. That would pass most of the recyling tests (which often mandate your password must be different by at least 3 characters). At my last employer, one of my co-workers used the month and day of the last password change, e.g. February2006.
As it is, I like to use Password Minder for things I really want to be secure, and have a mental replacement algorithm that allows for all kinds of interesting combinations. For example, I'd turn February2006 into F3bru4ry2()()6, or incandescent into !c4nd3sc3n7. I tend to be able to come up with passwords that have pretty high strength and I have to remember only a word or two. What irritates me are the systems that can't accept anything but alphanumerics, or worse yet, numbers. All 3 of the financial institutions I do business with accept only numbers for passwords.