I knew an organization that required its employees to create passwords that contained two upper case letters, two lower case letters, two digits, and a punctuation mark. It was further required that no letter be followed by one or more letters such that a word in English was spelled. On top of all that, employees were required to change their passwords each month. This entire practice was thrown out the window by senior management when the audit department went around one night and found that a very large majority of employees kept their passwords written down in their desks - sometimes attached to the desk, computer, monitor, or wall.

Often times it is paranoia that is the greatest risk to security.