Password Security

[ozy]

I have decided that a high level of password complexity, as a means for secure login authentication, is mostly useless. Password complexity is where sites or systems require a minimum length and at least one capital letter, number or symbol in a password to add complexity and decrease the chance that a hacker will figure out your password.

Here are the reasons I believe password complexity doesn't help:

1. Many sites lock you out after several failed login attempts, so brute force hacking is futile now or extremely time consuming.
   
2. Social engineering and fake login pages are the most effective ways of getting a password. If you are tricked into giving someone your password, the complexity makes no difference.
   

Obviously a password should not be something anyone who knows you could figure out, nor should it be written where someone could find it. I'm just saying the biggest threat to password security is being tricked into giving it out, logging in to a seemingly legitimate login page that isn't legitimate, someone capturing your password as it is transmitted, or a keylogger on a computer. Password complexity doesn't solve any of these problems. I'm no security expert, and there must be some level of security gained by a complex password since many major sites to require it, but it just seems like more trouble than it's worth. Any thoughts on this?