Good work rplima2004. You might also consider adding in the email address checking functionality hack that I posted in the news section on this site yesterday.

If anyone is wondering how you come up with strong passwords, here's a scheme that I have used very succesfully in corporate environments. (this is for english language but the principle applies universally.)

1/ assign numbers to vowels e.g.
a = 3
e = 4
i = 5
o = 6
u = 7

Use whatever sequence of numbers you like but you have to remember the sequence.

2/ Choose a long phrase that means smething to you. e.g. if you are into sailing you might consider "tall ships" to be such a phrase.

3/ Capitalize the phrase and remove spaces
e.g. TallShips

4/ substitute the vowels for your numbers
i.e. T3llSh5ps

voila, you have a secure password

If enforced password changes are implemented (very good idea imho) then simply add a month suffix or prefix to the password when you need to change it i.e. T3llSh5ps06 for a password changed in June.

Sorry if this sounds like teaching your grandmother to suck eggs, but it might help someone.

A

No your metod is very good too

But, force users change simple password is necessary.
Well, dependencie of site too.

[Edited by Giba]

I am analysing for parameter in admin area for test password users.

if simple password, change e-mail for change in 30 days.
if user not change password after it day, and not login in site, disable account/login this user, and send e-mail with this information.

Captcha will not stop a malicious attack by a person on someone else's account.

Locking the account is a standard method for dealing with failed logins. However, locking the admin account is a bad thing without a way to reset it.

Perhaps a combination of approaches - after x attempts, send an email to the account owner that includes a way to reset the password. Also set the account to require Captcha until a successful login occurs.

Just some ideas.