Saw the abstract of a new security paper via Scheier.
In short - strong passwords do not really do a better job of security accounts as you might think. This is because they do not do anything to prevent phishing and related social network attacks (not to mention good ol' sniffing of the network for passwords sent in the clear). And that the 3-strikes rule on most sites is sufficiently good enough security to prevent brute force attacks (I've long argued that most attacks do not go directly against the password database, but through the app and this seems to prove my hypothesis).
Another nugget from this abstract:
If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords.
Oracle Identity and Access Management products can help you implement both passwords as well as increase the strength of identities via Oracle Adaptive Access Manager. With the improved reporting in 11g Fusion Middleware it is also possible to track all password requests from the application they were entered through the directory services layer. Thus customers can be more aware of when password failures occur and why.
Thus can help create policies to help improve their security.
Because as they used to say on the old G.I. Joe cartoon - "knowledge is half of the battle".