http://blogs.technet.com/b/steve_lamb/archive/2005/07/19/407871.aspxI've heard Jesper talk about this many times and have used passphrases for a long time myself. The term "password" is in itself misleading as is suggests that a single word will suffice. Many of our companys force us to use absurdly complex passwordsen-GBTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/steve_lamb/archive/2005/07/19/407871.aspx#408405Fri, 29 Jul 2005 23:26:58 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:408405Steve LambDave&gt; Thanks for your very interesting comment. I can see that such a screen saver policy together with a passphrase would be frustrating. Statistically having a ten character passphrase would be a reasonable compromise from a cryptoanalysis perspective. I realise there's a cost implication but smartcard authentication would be less painful with such a screensaver policy. How about increasing the screen saver interval and having forefits for those who get caught by their team with an unlocked screen. I'm sure someone engaged on a long telephone call would be very frustrated if the screen saver cut in whilst they were talking. <br> <br>What do you think?<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=408405" width="1" height="1">http://blogs.technet.com/b/steve_lamb/archive/2005/07/19/407871.aspx#408307Thu, 28 Jul 2005 14:42:22 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:408307Dave PachecoWhile I understand Jesper's point, it seems a little simplistic solution to me, and doesn't take into account the unintended consequences or the &quot;real world&quot; applications. Yes, a thirty character passphrase is more secure than an 6-character &quot;complex&quot; password. But out there are other security measures that conflict with it: specifically, password-protected screensavers. We have policies that enforce the screensaver coming up every 15 minutes, which seems to still be an industry standard for places that have lots of open, public machines. Just as users tend to write down the longer &quot;complex&quot; passwords of random letters, numbers and special characters on a sticky note, they will try to get around having to type in a 30+ character string every 15 minutes. When we tried to enforce 30+ char passphrases, we found that someone had written a program to &quot;jiggle the mouse&quot; every 10 minutes so the screensaver never kicked in, because they were so annoyed at all the typing they had to do every time they stopped using their computer for 15 minutes. This little program got passed around, and soon a ton of people were using it. Yes, tighter controls over the desktop might have prevented this app, but that's not the point of discussion here: it's that there are unintended consequences of the security measures that Jesper espouses, and those don't seem to ever be brought up in his discussions. In particular, the fact that users dislike having to type those long passphrases in over and over again, even when they are simple sentences. Just because I can remember &quot;Mypasswordisthebestpasswordintheworld&quot; easier than &quot;F(5%pr@m1&quot;, doesn't mean I prefer typing the former all day long. - Dave Pacheco Manager, Architecure and Security The Walt Disney Company<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=408307" width="1" height="1">http://blogs.technet.com/b/steve_lamb/archive/2005/07/19/407871.aspx#407955Wed, 20 Jul 2005 17:36:50 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:407955John HowardAnswer: A&amp;amp;nbsp;laptop keyboard. <br>I've been unable to do a lot of work for the past hour or so after spilling...<div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=407955" width="1" height="1">