Back a few years ago, I was setting up some web apps for a friend and needed his password..

“Oh, try my non-sensitive password: ‘basketball'”

Sure enough, ‘basketball’ got me in.

That exchange was a reminder that there are different degrees of security and different comfort levels of risk associated with each of those degrees.

One persons’ ‘basketball’ is another’s ‘vaj/YfS35S)*’

This difference even exists between the service provider and the person using the service – as J Wynia describes.

Computers are really good at generating random, unguessable strings, people aren’t.

If a service has any character requirements on a password, that service should – upon request – generate passwords fulfilling those requirements. Otherwise, take what the people want to use as their password.