"but evidently NOT long and complex enough"
What is "enough"?
Depending on the tools used, the effort put in and the time allowed, any password can be cracked if the authentication interface allows enough attempts. The fault lies as much in that interface as it does in the choice of password.
Apart from which, will someone at last explain cogently how the hell "complexity" makes passwords "secure"?
[1] Apparent randomness is not randomness - it's impossible for a human to mentally generate a truly random string as we have a problem called "memory" that prevents us ensuring the true independence of the elements of any sequence.
[2] Randomness is a property of sets, not of the members of sets. If all your passwords are identical, it doesn't matter that they're all the same highly entropic string of characters. Thus the "security" of your corporate passwords is primarily a property of the entire set of passwords, and variation within that set is its most important characteristic.
[3] A highly entropic string is not necessarily secure against attack anyway. It's only secure against human guessing. An attacker using rainbow tables works from the hash to the string, so it doesn't matter two hoots what that string is as it's going to be found eventually via the relevant path through the table.
[4] Length is important, but only up to practical limits. If it's too short, a password is open to easy guessing because there won't be many to choose from (how many three letter strings are there?). But if it's required to be too long, people will find ways to simplify their own problem - creating and remembering it, rather than yours - ensuring it robust against attack. So it won't be.
The ultimate reality is that, properly managed, passwords provide sufficient assurance for some tasks but not for others. For those others there are alternatives such as multifactor (not biometrics, which are identifiers, not authenticators).
Biting the hand that feeds IT
