Re: Security level of SET PASS /GENERATE ?

In article
<7e686001-d849-4c98-a94f-36bcaf04ccc0@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, AEF
<spamsink2001@xxxxxxxxx> writes:

Longer is stronger. Contrary to CW, forcing users to use complex
passwords is more pain than gain. You gain A LOT MORE SECURITY by
making passwords longer vs. making them complex.

Yes. For the same reason, long usernames get less spam.

Exactly. This is yet another reason why increasing length is much
better than increasing "complexity". The only complexity checks should
be for stupid passwords like AAAAAAAAA or 12345678 and the like.
Things like using O's for zeros are not going to help much at all and
just make the system admin's job harder than it has to be.

Indeed. I have seen some expensive systems approved by expensive
security consultants which have all sorts of checks, require mixed case,
numbers, non-alphanumeric characters, letters etc. However, choosing a
number in the password and increasing it by 1 when the password needed
to be changed passed all the tests.

I don't really see the point of a relatively long lifetime. Either a
day or so, if it is for a test account or something, or infinite (which
gives the user a chance to think of a good, long password---ONCE). In
what situation will a lifetime of, say, a month help me?

.