Why is it that web sites will force you to have a minimum 8-character passw ord, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?
Is there any proof that these schemes work? I mean, other than getting people to select something other that "password" or "1234"?
I say that if I have to write it down to remember it -- by definition it is less secure.
(And some of my colleagues wonder why I say "I.T." is the janitorial work o f engineering! :)