[hnriot]

any decent corporate IT dept make sure you don't by forcing often password changes and having quite secure rules for length and charactes in a password. My corporate IT force quarterly password changes for VPN, NIS and SSO, which all must be different, all must be 8+ characters, all must have mix of upper and lower and numerics. They also store the hash of all previous passwords to prevent users from recycling.

So I think the onus of responsibility lies with corp IT and not HR.

[andreasvc]

Forcing people to change their password is one of the most annoying and ineffectual things you can do. It is completely useless to change a perfectly good password when it has not been comprised. And since most humans have trouble memorizing complicated passwords, the net result will be much simpler passwords, or ones that get written down.

There's no technical solution to this problem. In the end it comes down to making people actually memorize pseudorandom passwords. As long as there's no shoulder surfing or keyloggers, you can keep such a password for years.

[harryh]

You know how people that work at your company remember their passwords after having to change them so often and comply with so many rules? They write them down on post it notes that they leave at their desks.

Nice work!

[emidln]

These are all general password policy "best practices", and typically result in users using something along the lines of

FuC|Kj0017GUy-1 FuC|Kj0017GUy-2 FuC|Kj0017GUy-3

Or, for users who are lazier (read: most of them), you get:

S3P-2k12 0c7-2k12 n0V-2k12