Strong passwords might not be the best solution. One statistic I heard at a recent security conference said 50% of 5 character passwords are breakable using the default settings on a password cracking program. Moving to 8 character, only 80% are crackable. So if you have 1000 accounts, only 200 will be compromised instead of 500.
So usability is also definitely a factor in security.
The sessions was by Peter Tippett of Trusecure. He said that having 5 layers of security, each 80% effective was easier to implement and pretty much the same effectiveness at one layer that is 100% effective. We all know that 100% security is impossible, so the point is we need to address security at several different points, and also explain to the clients how the multiple levels of security interact.
