It is pretty obvious that weak passwords greatly increase the likelihood
that a brute force attack will work.
However, since most (all?) systems revoke userids after a very small number
of unsuccessful password attempts, the issue of strong vs weak passwords is
totally irrelevant to your end users, so why burden them with strict
password policies? Even a weak password will stand up to a brute force
attack if the userid is revoked after 3 failures.
Protecting the password data base from theft is the security administrator's
job, not the end user's. It doesn't matter how strong the safe or how
complex the combination, if the thief can tuck it under his arm and take it
home with him to work on at his leisure.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
