As IT people, we tend to get a little crazy over passwords, but for good reason. We seem to require stronger and stronger passwords that need to be changed more and more frequently. How many of us have seen users have their passwords taped to their monitor or on their desk with a note saying Windows login password? It is starting to get a little ridiculous.
We can tell users until we are blue in the face that they arent allowed to write down their passwords, but they do anyway. Security is only as valid as the user can make it. We could require a 16 digit password that changes once a month, but I believe that is less secure because users will write it down.
What is the magic number of characters and forced password changes without being wide open, and without the majority of users writing down their passwords because they are so difficult that they cant remember them? I am not looking for a solid answer. Just some thoughts, because there is no solid answer to this question