"Stop using difficult-to-guess passwords" - GCHQ

http://www.independent.co.uk/life-style/gadgets-and-...

Ahem!

Impact of forgetting password v impact of compromised password?

TheRegister seems to have a better write up and the advice wasn't about password strength - rather the rules the sites try and impose such on passwords.- they also suggest allowing use of "use of password storage lockers"

Hmm. Eggs in the basket is not my preferred method, but it might suit some types of user/business.

I tend to have three types of password. Very strong (15-30 characters depending on any limitations) for router and web accounts that are critical, such as admin access to websites. Strong (10-20), usually made up of 2-3 words known only to me and a random number for things like online purchasing, and weak 8-10 characters for protected files.

I'm the only user of this PC, and that's the best security of all. Know who uses what, and what access they have to any systems. Also apply group security according to risk / impact / user savvy.

Regarding the GCHQ advice, I thought it less than sensible to the have the 'leading' IT security organisation (or the one we all think should be leading), giving advice to relax. That should come from IT management on a business by business or mission by mission basis.

It isn't about relaxing security it is more about understanding what causes people to weaken security to cope with things thrown at them to "maintain" security and pick the least harm route.