This article has several ideas that are fundamentally flawed - but here's the most easily falsifiable one:
"What’s worse, a weak password, or a password that sits on your desk?"
Contrary to what is said in the article, a weak password is worse - no question. A password that sits on my desk is only available to people who break into my home. If they do that, they probably have access to other documents of some importance.
A password that is weak can allow anyone access to my account, from anywhere.
He mentioned login attempts in the article. Someone tries the wrong password more then a few times and the account gets locked. That should thwart any and all dictionary/brute force/you name it attacks. So which is more secure, an impossible to accomplish remote attack, or a password sitting on your desk?
Bank password polices are retarded. I currently have one that requires 6 characters. No more, no less. This may be the worst offense I've seen but it doesn't excuse the other bullshit that passes as secure or acceptable in the banking arena. These guys need help.
I'm not trying to say that bank password policies make sense. They do need help.
"Allow weaker passwords and limit login attempts" is not the solution either, because it gives an attacker who has discovered my user id but not my password the ability to lock my account.
"What’s worse, a weak password, or a password that sits on your desk?"
Contrary to what is said in the article, a weak password is worse - no question. A password that sits on my desk is only available to people who break into my home. If they do that, they probably have access to other documents of some importance.
A password that is weak can allow anyone access to my account, from anywhere.