Originally Posted by
GUWonder
I'd read that many months ago and there is indeed something to that. But when companies both require more complex passwords during a company-required password change and restrict use of a prior password or part of a prior password from being re-used, the increased frequency of password changes does help increase account security unless bad password creation/retention habits are allowed and/or being used (as is very often happening).
From looking at colleagues who've been faced with such requirements, I suspect that a common bad habit is that increasingly-complex passwords simply get written down on paper and kept near the machine in question. But it's not difficult to understand why people do that, or to sympathise with those reasons. From an ivory tower, one can easily say "That's a bad habit. Don't do it." But in the real world, users genuinely find some of these requirements difficult. A security approach that doesn't take into account the real needs and the real limitations of the real people who are using the system is surely itself flawed.