Do we really need strong passwords? | Naked Security
They also set out to determine just how strong a password used on a website needs to be to withstand a real-world attack.
Their conclusion is that creating strong passwords is wasted effort a lot of the time.
The conclusion of the report is that there are effectively two kinds of passwords: those that can withstand one million guesses, and those that can withstand one hundred trillion guesses.
Systems administrators, they say, should stop worrying about getting users to create strong passwords and should focus instead on properly securing password databases and detecting leaks when they happen.