http://blogs.technet.com/robert_hensing/archive/2004/08/23/218903.aspxGiven what I do, I tend to be pretty interested in technologies that will allow me to do away with passwords altogether. One area that's shown promise in the past is the use of graphical passwords (again, demonstrating that passwords are an antiquateden-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/robert_hensing/archive/2004/08/23/218903.aspx#226923Wed, 08 Sep 2004 20:23:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:226923H. CarveyIt just goes to show...passwords aren't the issue...it's how passwords are used that's the issue. <br> <br>I remember doing password cracking as part of vulnerability assessments 5 years ago, using L0phtcrack. In one case, we had a client w/ 3000+ users, and 85% of the SAM was cracked in 15 minutes. This was partially due to the fact that no requirements were put in place for strong passwords, but also due to the fact that when the helpdesk reset someone's password to &quot;password&quot;, they didn't (or couldn't) force the user to change it when they first logged in... <br> <br>This is just a subset of the bigger issue w/ regards to infosec, and things like the Principle of Least Privilege and defense-in-depth...you can't say somethings not working if it hasn't been employed correctly to begin with. Well...I take that back...you *can* say that, but it wouldn't be intellectually honest to do so...