> That is the dilemma with security and it is difficult to make some
> auditors understand the paradox. The more punitive one makes security
> rules the more likely users will start doing things to defeat them.
> The most common is the one you mentioned. If you make password rules
> too severe people will start writing them down and putting then under
> keyboards, phones, blotters, etc. The result is a higher security
> risk then if things were just left alone. However, I don't think
> requiring a maximum life, minimum length, requiring alphanumeric and
> preventing reuse of a certain number of passwords fits the definition
> of overly punitive. Although some users may think it comes close. :-)

During peak times I sometimes help out on the front line help desk,
I've actually had a person cry because they couldn't think of one
when they were told they couldn't use an all lowercase password.

PS, Ken I used "aaaaa" to mean a 5-char all-lower password, not
that 50% of our users literally used 5 a's! I had no idea the
actual password, I just logged "a" "A" "#" or "." for a char
in that 'class'.