I suggest that if you have controls in place to enforce strong passwords, then the risk profile changes. Let us clarify that I'm referring primarily to the front line of defense: that network password that you must have in order to gain access to confidential information, some of which has second and third layers of password protection. Even though Microsoft does not allow us to automatically enforce appropriate strong password guidelines for network logins, strong passwords can be enforced. And though Microsoft continues to confound users with the choose three of four routine, and doesn't offer a dictionary checker, strong password controls can still be implemented. I submit that strong awareness training can overcome this Microsoft vulnerability. Let me define strong awareness training as a process which includes a periodic password file analysis and feedback routine. It is easy to learn to do your own password file analysis. The banks that do their own periodic password file analysis and give feedback directly to users have the highest success rate.