Strong Passwords No Safer than Weak Ones

[osprey4]

...says the New York Times

You know the drill: a mix of upper- and lower-case characters, both numbers and letters, and at least one symbol. Change your password every 90 days. And the new password can’t have more than four characters in common with the last dozen. It’s enough to make your brain hemorrhage.

Too bad you’re spending so much energy on these strong passwords, because the New York Times says it’s all a pointless exercise (unless the point of the exercise is to waste your time).

One well considered point? Keyloggers can compromise the most complicated passwords, so keeping a clean machine is the most important password rule.

[DemonKnight]

some one has to gain access to your system to install a key-logger, normally done with a Trojan virus or worm of some kind. good anti-virus and firewall systems stop those most of the time. I'd like to meet the author that made those statements and then see if they have a simple 3-4 letter password that is in fact a real word... I know a guy who uses a 64 character password, 16 letters, 16 numbers, 32 special characters. or something to that effect

[vass0922]

at work we use two-factor authentication (smart card) and its required to logon, user/pass logon is disabled.
biometrics is also a feature some home pc's are being shipped with (my home dell laptop allows facial recognition).

the only thing I have against long passwords are the longer it gets the more likely a standard user is going to write it down. Especially if you have multiple systems with varying passwords, it gets nearly impossible to know them all.