Sysadmins trying to harden user passwords against brute force attacks, or everyday folks trying to make sure their passwords don't lead to nude selfie leaks may not need to bother, according to the latest research from Microsoft mavericks.
Microsoft password provocateurs Dinei Florencio and Cormac Herley say password hardening isn't worth the effort to protect against brute force attacks - advice that came two months after they derailed the best practise wagon by stating everyone should choose simple login credentials and reuse them across websites.
Strength meters - the small bars that tell you if your password is weak or strong - are useless, the pair argue. So are guidelines suggesting users must have a mix case and special characters or be of some pre-defined length.
"Honesty" they said "demands a clear acknowledgement that we don't know how to [resist offline password guessing]: attempts to get users to choose passwords that will resist offline guessing ... must largely be judged failures.
The Register/ full article here/ http://www.theregister.co.uk/2014/09/04/scared_of_password_brute_force_microsoft_says_just_give_up/