The trouble with corporate policies on changing passwords is that when you're told you must have a password of 8 characters or more, it must have numbers and letters (both uppercase and lowercase) in it, and it can't be any of the last 13 passwords, and you have to have different passwords for each system, one has to ask how many jumbles of numbers and letters the average person can be expected to remember. Was my login password ahG39f?r or was that my email password? Or was it aHG39f?r, I can't quite remember which ones I capitalised.
If people can't remember their passwords they end up writing them down, which makes the system less secure rather than more secure. Or they put them all in a file with a single password, which means there's one single point of failure for every system they can access, and for good measure the corporate IT security people have no control over how (or even whether) that file is secured.
Ultimately the purpose of security is to be as invisible as possible to authorised users while being as obstructive as possible to unauthorised users. When it becomes obstructive to authorised users they'll look to circumvent it for their own convenience, which means that as security becomes more comprehensive according to the textbook it becomes weaker in reality.
Keep Up with TechRepublic