Password policy and a recent virus

My current client is being hit with a virus that seems to be hitting LDAP / AD to pick up usernames and then running dictionary attacks on those accounts (against Exchange in their case). The end result is that a mass of accounts on this company's network were locked out.

Aside from the usual measures against attack, this is an excellent example of why admins should a) train users to use pass phrases and not passwords or "strong" passwords fewer than about 10 characters, and b) disable account lockout policies which make this sort of attack possible.

Here's the blog that changed the way I think about passwords:
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
Anyone responsible for administering a network should read every word Robert posts.

I personally believe it's a good idea for admins to regularly run attacks on their own networks (aka password auditing) to see who's not following policy. If you don't rattle your doorknobs, you can be sure that someone else will.

No one can depend on policy alone to protect a network. Consider this: P@ssw0rd (a frequently used MS demo password) and its variations qualifies as a valid "strong" password on most networks.