'complex' password nonsense
I have been known to teach the occasional class at the local community college. They require everyone, students, staff, adjuncts, whatever, to have a 'complex' password. You know, at least three of uppercase, lowercase, numbers, symbols, a minimum of eight total characters. The usual. They also insist on users changing their passwords every 90 days. Their IT department was not amused when I pointed out that P@55worD01 exceeded their 'complexity' requirements, and that merely changing the trailing two digits would give me 100 changes of password, or 300 months worth. They went to the trouble of adding code to detect P@55worD01, et al, and banning the use of numbers as the last two digits. So I use an equally inane password, this time with the two numbers that I change every 90 days buried in the middle of the password, the rest of which never changes. My only problem is remembering how which two numbers are in use this month. Now, if they were serious about password security, they'd bin the 'complex' crap and allow passphrases. you know, stuff that can be easily remembered but is hard to guess or to crack using normal password cracking methods. Things like, oh, tennoheikabanzai. ('May the Emperor reign 10,000 years.' Yes. Really.) No need for 'forgot password' crap if you remember the passphrase...