>>OTOH, you should be grateful that your passwords are allowed to exist as long as 6 weeks. I'm not kidding here - a lot of organizations are much stricter than that - and in many cases, rightfully so. I could certainly see it for your organization.
>
>The 6 week password change has frustrated people so much (they forget their passwords) that they do the following:
>- share accounts and passwords
>- someone logs the computer in the morning and leaves it going for everyone all day
>- avoid using the computer system
>
>Thus the technique has backfired. I believe we should follow the lead of the banks. On pin (password) and you change it if and when you want.

The bank idea would be fine, if you all had smart cards or the equivalent. The bank example makes use of 2 things:

1. Something you have (your access card)
2. Something you know (your PIN number)

so, it is inherently more secure than a standard LAN user name/password situation. Bear in mind most client PCs remember the account name, so the only security you currently have comes from the password.

Your organization does have data that are legitimately confidential and must be protected. If you've got people doing an end run around passwords, then it's a policy issue. Either change the policy so end runs are not necessary, or enforce the current ones.

So, when were you moving to IS Management? :-)