>Not sure if you hold any away on such policies, but if you do, the password-change requirement might be something to reconsider. When users are forced to change their passwords (especially that frequently) all they do is increment a number.

On one job, 15 years ago, I came up to 26 after my standard password. On the next one, at 04 I asked the admin whether it's really necessary, and he agreed to stop that (including on his own account).

>Either that or they have to write it down to remember, or they forget and need to invoke a reset process. There really is no logical in-between. to those tactics. Multi-factor authentication is probably a far better security measure.

Except when it's american based and I'm the securable... because they insist on silly questions which have no answer here, different culture. Mother's middle name? We don't have middle names. Your first car make/model - don't really know what would count as my first, as dad registered one in my name because he didn't want to have two on his at the same time; the next one I owned for just two months (was junk), don't know if I'd count that. Or should I take the car we had when I got the license? Grandmother's maiden name? Thought it wouldn't pass because it contains a ć, but no - too short, minimum six chars. Should have changed history to make it fit. What would Hungarians with just Fa for surname do? The country I always dreamed of vacationing in – never existed, I didn’t. Specially not by country. Favourite colour? - I change that every few years, no good. Childhood hero? - I could put one, but next week I wouldn’t be sure whether I spelled it in english or in serbian. Parents’ wedding anniversary? I know the date, but in which format would I write it, and in which language? Ambiguous, and impossible to memorize firmly. Favourite cartoon character during childhood? None, we didn’t have TV until I was 10, and then with each one of them I went through interest-enjoyment-boredom-disenchantment. Liked Pink Panther, but wasn’t a child at the time.

>Forced password changes isn't really security, it's security theater, and that's pretty much straight from the mouth of Microsoft.

What I wrote the other day about the best IT gig - be a cerberus, assign chores to everyone, be accountable to noone, don't announce any measures you introduce, and nobody needs to know what you're doing, it's on the need-to-know basis. Just make sure you create a nuisance to everyone, so they'll know you're doing your job.