There have been news stories about how the Office of Inspector General, U.S. Department of the Interior found weak passwords in the Department of Interior’s Active Directory accounts:
- Passwords Are Terrible (Surprising No One)
- A fifth of passwords used by federal agency cracked in security audit
- A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes/
The OIG report:
P@s$w0rds at the U.S. Department of the Interior: Easily Cracked Passwords, Lack of Multifactor Authentication, and Other Failures Put Critical DOI Systems at Risk
It has password advice on page 8:
NIST SP 800–63 recommends using passphrases instead of passwords …
Password vs. Passphrase Examples
Password = 5pr1ng*Ish3re
Passphrase = DinosaurLetterTrailChance
I believe the passphase words have to be chosen randomly from a large word list to be effective, but it is easier to remember than a complex password.