Passwords don’t work.  This is a big problem.  A few notes.

• Don’t leet passwords!  This is very annoying. :-) It’s very easy for an attack program to try every word in the dictionary with ‘3’ instead of ‘e’.  This would be a very good way to set a password *if* one were the only person doing it - but you’re not.
• Requiring numeric digits doesn’t really help.  What does the user then do?  Put ‘1’ at the end.  The attackers won’t try putting 1 at the end?
• Indicating password strength as the users types is useful, BUT most sites don’t do it right!  They just say “stronger” when one adds say, ‘1’.  These strength meters should check for dictionary words.  And leeting. :-)
• Requiring passwords to be changed at some interval is suspect.  If I have to change my password every 90 days, I’m very likely to write it down.  Or even worse, store it in a computer.
• Limiting # of password retries is important, but there are still major problems.  On a big service like gmail, almost every username one can conceive seems to be in use.  So one attack is to simply try a million passwords with a million different usernames.  Of course, they will look for multiple tries not by username, but by ip address — does your app do this?  It better.  And even with this, it’s a partial fix — a large bot net could still try quite a few.

So what to do?  For starters, have a good password for yourself.  Forget numbers (unless you want to use a really long one — your birth year is not “long” as there are <100 of those!) instead, use either (1) words not in the dictionary or (2) a sequence of letters that is not a word.  For example, take a sentence that is easy to remember, and use the first letter from each word.  Perhaps this fails too if everyone were to start doing it.  Any novel method to pick non-dictionary sequences might be good.

What to do for the rest of your system?  Here are a couple of ideas for admin UI’s.  Many web sites have these things and they deserve higher levels of protection.

1. Check for weak admin user passwords.  You would be surprised.
2. Use 2 aspect authentication.  Have a master password that everyone in the org knows, and make it be entered once and then store a cookie token for the browser.  Only have to enter once per machine.
3. One thing I like to do on admin systems, where number of users is small, is send an email when there is a new login (or attempted login) from a new /24.  For example an email to noc@foo.com that says “first login (attempt) for user jsmith from 12.72.192.1.”  Ideally with reverse dns lookup.  That way if someone is logging in from other side of the world, you will notice.  Won’t scale but good for admin accounts if you have a few.