[mcherm]

I work for a bank -- a place where you would expect to find excellent security practices. And for the most part we DO have excellent security practices. But I have encountered certain areas that have the same kinds of problems you mention around password management: frequent changes required and a maximum length which is not nearly long enough.

I attempted to address it by writing an essay about why this was risky (including links to research) which I published on the internal intranet.

So far my track record is quite poor. I had one person explain why 8-character passwords was the maximum (there was still one machine at the company that ran an OS that could only handle 8-character passwords) and no one seemed interested in changing it.

Make of this what you will.