Re: Passwords.. security is in length, not complex
EDIT: Leeoniya, you are right on the money on the delays. I've got to type faster.
I don't think that length above 12 characters gives any significant advantage if you are using a mature operating system which is set up correctly. (SEE turbodog's post for a good example.)
I thought that some of Robert Hensing's comments in the article that the OP linked to were very typical of the loopy 'security culture' which has been prevalent among MS higher-ups since the very beginning.
When Mr. Hensing makes a statement claiming that 14 character pass-phrases are quick to brute force you must remember two things: First of all, he's not even considering any operating system outside of Microsoft -- they do not exist as far as he is concerned. Secondly, like all of the other big-shots at MS he has yet again revealed that they are only capable of viewing the user as a stumbling, ignorant buffoon incapable of setting up his box securely. (Again, turbodog's elegant solution is far more valuable in the real world than any great wisdom Mr Hensing has to offer in the his article.)
Getting back to the first point. Long pass-phrases are only needed on default installs of Windows. That's who he's talking to in the article. As I said earlier, I usually use a 12 character pass-phrase of mixed cases, with numbers and odd characters thrown in. If Mr Hensing were to try to brute force what he calls my short pass-phrase my OS would allow him three chances to get it right and when he failed a delay of a few seconds would be introduced before he could mount another attempt. This delay would grow slightly longer with each incorrect guess. Mr Hensing and all of his children would be long dead before he could brute force my 12 character pass-phrase. That is the way a mature operating system behaves right out of the box, with a default install.
What Mr Hensing is really saying is that Microsoft would rather inconvenience ALL of it's user base forever by having them type 42 character pass-phrases because they refuse to modernize their code and fix the problems associated with their weak default install. That's right, guys, as far as Mr Hensing is concerned, it's your problem and you're on your own.
In order to sell this Mr Hensing must turn the world upside down and try to convince all of us that all of the crypto experts on Earth are wrong and that the weaknesses in Windows don't really exist if the lazy users can just be convinced to type huge pass-phrases, all of the time.
Mr Hensing's article is not about security, it's about PR. It's cheaper in the short run to massage the problems with their OS than it is to fix them. I think that it is generally a bad practice to get security advice from marketing firms.