What's so difficult?...
I find it truly difficult to understand the fuss about choosing passwords. Perhaps it's just my mind-set. It often seems to me that 'computer security' is just a money-making FUD generator.
My current employer is very typical of all the sites I've worked at with regard to passwords:
...Eight characters max length
...First character must be alphabetic
...Case-insensitive (lower-case gets translated to upper-case by default)
...Use of @ ! $, etc is frowned upon because of code-page translation difficulties (SecAdmin says "Use 'em if you want, but don't come crying to me if things go wrong!")
...Passwords expire every 30 days
...New password cannot be any of the previous thirteen
...New password cannot feature anything from a long list of prohibited character sequences
...Three tries are you're out. (SecAdmin has to manually reset password to an expired one that I have to change again upon first - successful - retry)
Coming up to my 50th-ish year of working on IBM mainframe systems protected by RACF and I've never once, not ever, had my password cracked or my account hacked, etc., and - to the best of my knowledge - none of the systems I've worked on has suffered any form of exposure either (if they did then *I* never got to hear about it).
Biting the hand that feeds IT
