I have worked for a number of firms over the years and all of these, like many others, have password policies. Password policies that are not only annoying but utterly counterproductive.
The consensus among security professionals is that passwords should be long, random, stored in a password manager and shouldn’t be changed unless you think your account has been compromised.
If you look at the password policies implemented by many — if not most — companies, it quickly becomes apparent that security is less important than giving the security auditors a box to tick. These are not the same because you can’t audit the strength of someone’s password, but you can audit how often people are obliged to change their password.
Forcing frequent password changes, however, leads to terrible passwords.
When people have to change passwords frequently, they start to look for workarounds in order to avoid forgetting their passwords. Passwords become shorter and easier to remember, or guess. People start following a memorable theme, so that even after their password is changed, the new one is instantly guessable. Worst of all, people will start writing their passwords down.
I have even seen some firms ban the use of password managers, which compounds all of the above.
The end result is that, by meeting the audit requirements for security, companies make themselves less secure.
Don’t you just love checkboxes?