Geoffrey wrote:
I take this one step further. take a longer phrase and use the first character of each word. Throw in some type of punctuation. Do the typical substitutions and you can generate a relatively obscure password:
There are 11 players on a football team and 9 on a baseball team.
Ta11poafta9oabt.
It's clever and nifty but users hate it. You see, it means that every time they type in their password, they have to think about it, and will frequently make typing errors, increasing frustration as they run through it constantly wondering if they maybe missed a letter or mistyped, since they can't see what they're typing. For a tech, it's a good system, for the average user, they hate it. This comes back to the initial problem: Security is a human issue. The more difficult/time consuming/annoying for the user, the better the chance that it will simply be circumvented.
To be honest, though, I haven't seen a real dictionary attack in many years. Mostly, it's people knocking on port 22 looking for a passwordless account. (Or ones with the password "password" or "guest")
I'd say that's just a very small dictionary they're working from. :)
Vocabulary isn't their strong point. :)