[eksemplar]

I work in the public sector in Denmark. Here three months is required by law.

It's caused our most common passwords to be things like Summer17 and half the employees that actually use what they think are hard random passwords end up writing them down.

If you look under the keyboard if 100 workstations you'll probably find 10 passwords on post-its.

It makes little sense too because if we're compromising for 3 months we're probably going to be just as fucked as if we were compromised for 4.

The best policy we have is locking people out after 3 wrong attempts.