Reply To: 12 Aug 17 – Password guru regrets past advice
I think the responsibility for safe password usage really lies with the people designing systems where a password will be needed. Just this past week I ran into a site (for a nationally known company) that requires a password to be between 6 and 12 characters, consisting only of letters and numbers. And this same company would not recognize any email address as being valid if it contained any capitalized letters. Everything (username and domain name) had to be lower case.
Simply locking someone out for a few minutes after 3 wrong guesses of a password would end the dictionary attack method. How many ways can you spell “password”?