Insecure Security 

I've now been at my current client site for about a month. Today I received email notification that my password will expire in 5 days. I've been here a month! This place has the most insane password policy of any company I've ever worked at. First of all, your password must be at least 8 characters. It must include both numbers and mixed case. Not only that, but no complete word can appear anywhere in the password. Now then, all these things do make a password more secure, but then you have to change it every 30 days? That's what I have a problem with.

I would be willing to bet that if I were to go to every cube on this floor, that within 2 minutes of being in that cube, I would find that person's password written down somewhere at least 1/2 the time. When you make passwords that hard to remember, and then make people change them that often, you're asking for people to take measures to remember them. Of course this company realizes this problem, and so they have a password reset utility. You simply log into a terminal with a known dummy account, go to this website, answer some predefined questions about you, and they'll reset your password. How secure is that? Now anyone with a somewhat detailed portfolio on me can access my account. I hate the "secure" password questions. Anyone can pretty easily find my mother's maiden name, or what grade school I went to. I always fill in those fields with junk information because I never use them, and I don't want others too either.

If you want to make sure my password is uber secure, that is fine with me. I get that. But then don't force me to change it constantly so that I can't remember it. We don't work at the NSA.