Originally Posted by proximo
I work in an IT environment and it's amazing to me how willfully ignorant the policy makers can be. Different departments enforce different password change intervals and different rules for what constitutes a valid password (length, special characters, etc). Every few months you have to change at least one password and it's very difficult due to the varied rules to make all of them the same and easily remembered. It's no wonder people write their passwords down. It's impossible to remember them all otherwise.
I've worked for 5 companies in the last 10 years, all of them Fortune 1000. Only the most recent generally gets it right with a single userid/password working for most, but not all, internal sites.
A company I worked for that does fingerprint authentication makes the case that if your users are commonly forgetting and resetting their passwords, or fail to get work done because they had password issues, then these policies make a net loss; the massive resetting of passwords actually makes it EASIER for a hacker to get in once they can get in on that cycle. Plus, people frustrated of making new passwords all the time will eventually resort to something easy, like "password1".
One damn good password SHOULD last you over a year, if it's impossible to guess.