On Jan 2, 2012, at 8:45 PM, Steven Bellovin wrote:
> Minimum Length : 8
> Maximum Length : 12
> Maximum Repeated Characters : 2
> Minimum Alphabetic Characters Required : 1
> Minimum Numeric Characters Required : 1
> Starts with a Numeric Character
> No User Name
> No past passwords
> At least one character must be ~!@#$%^&*()-_+\verb!+={}[]\|;:/?.,<>"'`!
One site I saw would break when you exceeded the maximum length but silently
accept it. Making the users jump through sufficient hoops to generate a
password and keep it for the sake of "security" only serve to weaken the
resolve of users and complexity of passwords used.
Dare I say, if a password system is too cumbersome I may reject them as an
employer at some point out of frustration, or just call the help desk daily to
reset the password.
back to the OP question. I've used the Quest system as a user and found it
useful. Having this outside any VPN for your remote users is very helpful.
- Jared
