In the article The Cornerstone of Internet Security: Strategies to Construct a Proper Password, richmonjames offers some generally sound advice about web password security, however, a number of the recommendations made are of questionable validity:
- Make your password as long as possible. This provides no protection whatsoever against the most commonly used methods of web password harvesting - namely phishing and keylogging - but certainly places a considerable burden on end-users.
- Change your password every 30 days. This only provides protection if an attacker is slow to act. Furthermore, for many users, it simply wouldn't prove practical. As the article points out, many users have numerous password-protected accounts - from online banking to email to online store accounts - and to change each of those passwords every 30 days would be enormously time consuming.
In my opinion, it's perfectly ok for users to choose resonably simple web passwords, so long as they cannot be easily guessed. And there's really no need for those passwords to be changed on a frequent schedule.
It's important that users have an awareness of security matters in general, including the risks that may be associated with their surroundings - as illustrated by Bill Anderson's article Risky Business, Using Kiosk Computers.
The article Do Strong Web Passwords Accomplish Anything? from Microsoft Research makes for interesting reading.