For 'online' systems which lock accounts after a small number of tries, it would *seem* like an 8 digit alphanum password (which isn't one of the trivial ones discussed earlier) would be sufficient, wouldn't it?
More than likely it would be fine. I guess I was commenting more on your question of brute force attacks being relevant in the days where you get X tries then the account is locked. If you choose even a moderately sane password (i.e. no sequential numbers, no keyboard sequences, no common words) then you'll be a lot safer than most people.
But attackers these days are more interested in *any* account, not a specific account. So brute force hacking has shifted from brute force passwords to brute force usernames. Imagine trying tonnes of common usernames (johnsmith@gmail.com) against the top 3 most common passwords. You're bound to strike gold soon enough. Attackers will most likely have access to large email databases of legitimate addresses to use in their attempts. Sites allowing / encouraging / requiring you to use your email as your username these days only make such attackers easier.
One thing some companies do, is require X of Y characteristics. i.e. Your password must be at least 8 characters long, and contain at least 3 out of the following 4: {lowercase letter, uppercase letter, number, special character}.
So your keyspace is far larger than: Must have a lowercase, uppercase, digit and special character. I think it's a nice compromise - but of course as this report shows, a hacker would still probably target [a-z0-9]{8}.
What would be interesting if the change password form predetermined the password requirements for this particular password, and these requirements are randomised each time the user wants to change the password. E.g. one time it may require a password of at least 8 characters, the next time it might require it to be 10 characters. One time it may require digits, another time it may require special characters. So an attacker in this case couldn't rely on a large populus having simple passwords of the bare minimum length as the system forces some variances in those minimums. Sure, it'll probably piss off users even more... (And I'm the first to admit I'd be pissed off by such an approach too).
I've been involved in certifying a firewall to meet ICSA requirements. Let me say that it can only be a good thing to take into account what certifications the product has before using it. This includes FOSS and commercial.
While it's nice that you can review the source of FOSS tools, that gives you no guarantee that the tools are configured appropriately and securely. If you are in an organisation that requires a verifiable degree of security (or as management sees it: level of risk) then using certified products is a no-brainer. No one claims a certified product is absolutely secure, and you should never base a purchase decision purely on the 'does it have a shiny certification logo on the carton?', but when using a certified product you can at least say that X, Y & Z situations are covered. This is especially important in the situation of a breach, where the integrity of logging is important. You don't want your boss screaming at you because the timestamps were wrong or inconsistent, that some data was not logged, etc...
If you are interested, take a look at the criteria for certification for firewalls - http://www.icsalabs.com/technology-program/firewalls/modular-firewall-certification-criteria-version-41
There are a lot of FOSS based products, including the one I worked on, that are ICSA certified. You can have your cake and eat it.
The site links to several AJAX games and an IM app that run extremely slowly on the iPhone."JavaScript speed on the iPhone is downright sluggish in most respects — a frustrating fact given that AJAX is the only current method for building dynamic third-party applications for the iPhone. (On a benchmark page) a MacBook Pro delivered test times of ~300 ms on average. Our in-house iPhones, however, delivered test times in excess of 9000 ms on average."
We are each entitled to our own opinion, but no one is entitled to his own facts. -- Patrick Moynihan