The most effective way to minimize the danger of bad passwords is to not use conventional passwords at all. Instead, your site can install software and/or hardware to allow one-time passwords. A one-time password is just that - a password that is used only once.
As a user, you may be given a list of passwords on a printout; each time you use a password, you cross it off the list, and you use the next password on the list the next time you log in. Or you may be given a small card to carry; the card will display a number that changes every minute. Or you may have a small calculator that you carry around. When the computer asks you to log in, it will print a number, and you will type that number into your little calculator, then type in your personal identification number, and then type to the computer the resulting number that is displayed.
All of these one-time password systems provide an astounding improvement in security over the conventional system. Unfortunately, because they require either the installation of special programs or the purchase of additional hardware, they are not widespread at this time in the UNIX marketplace.
One-time passwords are explained in greater detail in Chapter 8; that chapter also shows some examples of one-time password systems available today.