Furthermore, requiring strong passwords encourages users to write them down, usually in places they can easily be found. So much for security.
What I find most interesting about this article, though, is the emphasis on the responsibility of system administrators for security. All the rules for strong passwords shifts an unreasonable - and possibly counter-productive - burden onto end users, who might be able to guard against keyloggers, but certainly not as well as sysadmins. As Mr. Herley says, "It is not users who need to be better educated on the risks of various attacks, but the security community. ... Security advice simply offers a bad cost-benefit tradeoff to users."
We're all in this together, to be sure, but lets delegate responsibility appropriately.
Ken Pimple, PAIT Project Director