"a really good password can be kept for DECADES, so long as it's hard to guess and easy to remember."
No password no matter how long is immune to shoulder-surfing and keyboard sniffing. In which case, the resultant breach could go unnoticed for decades, too.
Which would you rather have? A bunch of weak passwords that at least get changed every two months, closing any holes they might have made or stagnant passwords that in turn get stolen and go unnoticed?
Biting the hand that feeds IT
