Strong passwords: deja vu all over again

I was at the CFET conference in Canterbury last week, then took a weekend off – quite a novelty… That's the city of Canterbury in the UK, by the way, not the region in New Zealand. (By the way, the papers I presented there will be available shortly.)
Coming back to the office after a few days without connectivity and trying to catch up with email and all that, I was initially confused to find an article in the New York Times by Randall Stross on "A Strong Password Isn’t the Strongest Security" which referred to a paper by Cormac Herley (and incidentally made some perfectly fair points about the shortcomings of passwording. Hadn't I seen this article before, and even blogged on it? Well, no. The article I'd seen before was in the Boston Globe and I blogged on it here.
As I've said before, I'm not fond of complex, hard-to-remember passwords that have to be changed at short intervals, forcing users into all sorts of potentially insecure evasion strategies. But the problem with both these articles (and Herley's original paper, which is actually well worth reading for its insight into the ergonomic shortcomings of many password systems) is that they don't really offer proven alternatives. They exist, of course, but static passwords are comparatively cheap to implement, which is why they've managed (continue reading...)