[jeffmould]

Can completely your frustration with government IT policies and at times they are very draconian.

I do disagree with you on the policy of changing every 6 months. While it may promote laziness to some degree in coming up with a strong password, that issue can easily be overcome with policies on length, character types, etc... Forcing password changes on a routine schedule can be a very good security practice though.

As for storing old passwords I have split feelings personally on this. I hate it because I forget sometimes what passwords I have previously used. In my case it was a school and every semester we had to change our password. Since I was a part-time student taking 1-2 classes each semester including summers it meant in some years I would change my password 5-6 times. That meant remembering every password I had ever used. After 2-3 years this became a major headache to me. A better and IMO preferred implementation of this would be to prevent maybe the previous 2 passwords from being reused, but to say you can never use the same password twice regardless of time between uses is just dumb.

On your final note regarding the length issue. While I can't speak for that particular system, it sounds like it may have something to do with some legacy system restriction they have in place that is forcing a constrained length (similar to some banks not allowing special characters in your password).