Password Best practices, Weakest Link?

What do you think is the most common way for an intruder to get access to a system?
My educated guess would be default passwords, or just weak or easy guessable passwords. At least if an intruder/hacker manages to break in to one system, with users privileges, he/she will have a smorgasbord of encrypted passwords to try and
break.

I am not the first one to report about the importance of using more complex passwords
for users, and administrators. A minimum of 8 characters, and it should be a mixture of alpha, numeric and special characters.

If an intruder manages to break in to a network, and get hold of a hash of encrypted passwords (pwdump Active Directory, or the shadow file on a Unix system), he/she will most likely try and brute force it, to get the cleartext passwords. So if one or two or three out of a hundred passwords is weak, < 8 characters, the operation to get the first cleartext password is just seconds or minutes away.

He/she can then most likely also re-use this password to get further into the network, as users and administrators tend to use the same password on many different
systems. An administrator might even have a user account with the same password for his admin account. This is something an intruder will try and figure out for sure.

So if you just add some extra strength to your passwords, and try to not re-use passwords, this little effort will enhance the overall security of your network a great deal.

Examples of strong passwords could be;

8 characters

WK.yr)29
C=DkW1LF
r1[PK1J[

12 characters
~0nf!I(Kch\1

20 characters
lVcvuy?R3nAOF%?dOf~u

If you need help storing all your passwords in a good and secure way. Try Password Safe. It's free, and it's a million times safer to store your passwords encrypted with Passwords Safe or equivalent, then on paper or using weak passwords.

Link to Password Safe 3.0
Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).