Sounds good, on the user end.
As long as all other things are secure. But I'm almost inclined to think that credential strength is almost being discussed in a vacuum in this case. I'd have to read more to find out, but I will explain my thinking using an example quoted in the article.
" ...locks an account for 24 hours after three attempts..."
But will the system do this? A lot of ATMs are notoriously insecure. So are a lot of website login procedures. They can be gamed in a number of ways, and code seems to be fixed infrequently or not at all.
Actually, I'd wager that some banks do have very good login back ends, probably a lot better than their ATMs have.
I agree entirely that this is a good approach to login credential creation. But it hardly matters in an environment where login can be bypassed entirely, or heaps of credentials can be slurped up right out of a server across a network.
But again, these concepts seem to be narrowly focused, and aren't considering factors beyond the credentials themselves, which is fine. Better credentials will help protect against the type of attacks mentioned.
