http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspxThere's been a lot of conversation about this topic recently on my project team, and I'm starting to agree that long non-complex passwords seem to be a better way to go than shorter "complex" passwords. Check out this article in Infoworld for an interestingen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspx#3440344Fri, 08 Jul 2011 11:34:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3440344Corks<p>Right randomly generated passwords &nbsp;are more secure and gives the authority who issued these passwords control for all.if passwords are 18 characters long,it would take the hacker &nbsp;approximately to hack it</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3440344" width="1" height="1">http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspx#448628Tue, 22 Aug 2006 18:59:51 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:448628derickcOur Password Management paper section on Password Policy in the Identity and Access Management Series covers this topic fairly well...<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=448628" width="1" height="1">http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspx#445599Wed, 09 Aug 2006 02:44:42 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:445599AndyYes longer passwords can be harder to use, but the issue of usability comes into play. If you need to enter your password when you log in, when the screen locks up because you have been idle for two minutes or any other curious event that requires a password, entering in a long password gets pretty tiresome pretty quickly - especially if you've made it a complex one that is not easy to type. &nbsp;Associate that with a passphrase and a long password actually gives someone watching you type, a longer period to work out what your phrase is likely to be (if you are a user who is using a passphrase instead of letters of a passphrase) <br>Having a standard password that gets slightly modified as per the article also doesn't work when a web page insists you need between 6 and 12 characters - what happens if you password is 18 characters long? <br> <br>I really don't think there is such a thing as a magic formula to say what is complex and what isn't complex. &nbsp; <br> <br>Some people suggest using something like keeppass (iirc) that generates passwords but this is not much use if you use a different computer from time to time. <br><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=445599" width="1" height="1">http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspx#445456Tue, 08 Aug 2006 00:51:54 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:445456BillCanThis tool is interesting, but it assumes that complex passwords are best (i.e., upper and lower case, special characters, etc.). &nbsp;Is anyone aware of scientific research that someone has done around this? &nbsp;I think this would make an excellent doctoral thesis: Complex Passwords and Long Passphrases: Theory and Practice. &nbsp;Any grad students out there?!<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=445456" width="1" height="1">http://blogs.technet.com/b/secguide/archive/2006/08/07/445411.aspx#445417Mon, 07 Aug 2006 20:22:31 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:445417Blake HandlerYour company has a nice web tool for checking the &quot;strength&quot; of passwords. <br> <br><a rel="nofollow" target="_new" href="http://www.microsoft.com/athome/security/privacy/password_checker.mspx">http://www.microsoft.com/athome/security/privacy/password_checker.mspx</a><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=445417" width="1" height="1">