>>Has anyone ever implemented a system to enforce non-similarity business rules?
Sure. Every month, the first time a user logs in generate a new random password, show it to him, and tell him to write it down. You can't force people to invent and memorize an endless stream of unrelated strong passwords. We just can't do it. Yes, password reuse can be a problem, but I cannot tell you of how tired I am of self-important web sites that demand super strong passwords to protect stuff of only minor value. My least favorite one contains nothing but some conference papers they want me to review. My second least favorite only lets me look at statements for my credit card merchant account, with the card numbers redacted. The more often you make people change passwords, the less effort they are willing to put into each password, so you can be absolutely sure that if you demand a new password every month, they will use dog+digit or whatever is the easiest way to get a password that will let them log in and get their fripping job done. R's, John _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
