Passwords
It seems to me that we continue to take the WRONG approach with passwords, making them longer and more complex. If you can continue to bombard the password server with new combinations, eventually you will crack the password. The real problem lies NOT with the user, but with the application. What if your application allowed you say three attempts to log on, and if you failed three times it would not allow another attempt for an hour, or two hours, and in the second pass, you had two attempts, and if you failed again, you had to contact system security to have your password reset. Passwords should also by one way encrypted by the system, to be sure that no one could ever find a username/password file.
