Re: Don't Just Blame Users
"I prefer to teach people to use strong, gibberish passwords, minimum 12 characters"
This will almost certainly mean their passwords are getting written down. It takes a very special kind of mind to remember a completely random sequence of letters, numbers and other characters and also associate that random sequence with a particular website.
"Teach them to use a password safe."
All password safe type applications I've seen have the same obvious flaw, in that you use a password to access them. Sure no-one can guess or easily brute force your online account passwords if they're massively complex, but if you store them in a password safe all that's need is to compromise the security of the password safe and ALL of your passwords have been simultaneously compromised.
The best solution is to teach people to create passwords that are complex enough that they can't be guessed or brute forced easily, but are based on some meaningful pattern that allows the user to remember them.
As long as you don't pick an obvious pattern, like your spouse's initials and date of birth this can be sufficiently secure for almost any purpose. Pick two or memorable but unrelated pieces of information, for example your work post (zip) code and a sibling's date of birth.
You can even harness old fashioned simple cipher techniques for instance take the reg (license) plate number of a car you used to own (but not your current one just to add obscurity), then to make that even more secure alternately increment and decrement each character by one so X81 EDR becomes Y72 DEQ.
These systems are by no means foolproof, and can still be forgotten, but at least they are meaningful enough that you stand a chance of remembering them but seemingly random enough that they can't easily be guessed or brute forced.
Biting the hand that feeds IT
