On Friday 6 May, 2011 02:13:52 Brian wrote: > A strong password is no less secure in brute force terms than a key so > there is no reason to disallow it on those grounds. You can also be sure > you have never left it at home or elsewhere. What you're missing is the difference between someone trying to hack from the client machine... and a remote script trying to brute-force your server. Big difference.