The following are essentially random thoughts about passwords. I tried to organize them into a logical sequence, but it's probably best if each paragraph is read in isolation:
I'm personally not all that worried about my account being compromised because the worst they could do is post as me and delete my messages. Added security for forum members with admin privileges seems appropriate, but I'm not sure that it's necessary for everyone. If many people are like me, this is just one of literally 100+ passwords they use online, and they choose a strong password where it matters (finance passwords and admin passwords), but 100+ strong passwords for accounts no one but the user cares about (and where a compromise would be no big deal anyway) is just not going to happen. Faced with this information management fiasco (of which this forum is just one small part), I would recommend filtering for passwords like "
Ab12345"
.
Increasing the entropy in passwords can generally improve security. I'm of the opinion that the best passwords are generally constructed as mnemonics for long phrases. Dictionary attacks won't work against them, and if the mnemonic is based on the distinctive letters in each word, alphabetic frequency information is less useful. Random passwords that are generated by computer and assigned have a tendency to either be quickly changed to a poor password or forgotten and reset by the admin over and over, so phrase mnemonics are about as close to random passwords as I think a human mind can wrap around.
On the other hand, I'm strongly convinced that policies requiring passwords to be changed every so often have a marked tendency to decrease security overall. If I have to pick only one password, I'm more inclined to come up with something random-looking, but significant to me, and memorizing it so I can use it indefinitely. But if I know I can only use it for a month or so, I am psychologically forced to choose something as easy as I can get away with just so I don't forget it. (Even if I write them down, I'll still try to pick something easy since writing down gibberish just feels like I'm going to make a copying error with no clues as to how to fix it once I discover the problem.)
So I guess I'm saying that even if it's frustrating for me (an ordinary forum user) to have to change one of the many passwords I use online to something more secure, I'll be okay with that since it's just once. Also, I'm glad you're not going to a periodical password change policy since, in my view, it would only add aggravation and reduce security.
____________________________
I was charged with conspiracy to commit jay-walking, and accessory to changing lanes without signaling after the fact
.
++Adam H. Peterson
