I think that every network security department operates under the following motto:
“If you can do you’re job, we’re not doing ours.”
The customer I’m with has instituted a massively long password scheme. Now I’m not going into details, because that would be telling and would give even the greenest of hackers enough to walk right in.
My point is this. If you make a password scheme overly complicated or tedious, what you’re going to find, and I say this as an absolute, that 20-40% of your users will WRITE THEIR PASSWORD DOWN AND PUT IT WITHIN REACH OF THEIR WORKSTATION.
Hello social engineering.