Concisely crafted (by Dinei Florencio, Cormac Herley, and Paul C. Can Oorschot) contributed article - entitled 'Pushing on String: The 'Don't Care' Region of Password Strength' - in this month's Communications of the ACM, details research on why organizations that enforce strict password 'composition' security policies end up with flawed password-related security issues - effectively the same as those organizations that do not enforce password strength. Something to get those wheels of cogitation spinning over the weekend...