>I realize that these sorts of password rules are often externally dictated,
>but it's not clear to me (or many others) that they actually have a positive
>effect on security).

Geez John, do you want the terrorists to WIN?!?!? :-)

While I agree with you, it's a tough sell. I personally think password
changes are a good idea, but the interval should be much longer than is
typically done (1 year is my preference). The problem is that while this
is my "gut" feeling, I have no hard data to back it up ... there is a lack
of hard data in general on both sides of the argument. I hear plenty of
ancedotal evidence, but nothing convincing.

The thinking I've seen runs like this:

1) We want better computer security
2) Changing your password regularly is good for security.
3) If you want more security, change your password more frequently.

I suspect these people would have us change our password daily if they though
they could get away with it.

>Fact is, no matter what your passwords rules are,
>half the people or more will choose the weakest
>password allowed.

Perhaps ... but I've noticed with the use of Cracklib that the seriously
egregious ones (like your "aaaaa" example) are rejected. Nothing is going
to be perfect, though.