Password Guideline Nonsense

My company has solid security policies which seem to be oriented at best practices. And I am very glad that they don't enforce nonsense policies that would actually weaken the passwords that users choose. That of course isn't the case with every company. There is one particularly arcane case. They have these rules for passwords:

  • At least two capital letters
  • At least one special character
  • At least one digit
  • At least 12 characters
  • At most three characters may overlap with the last 10 passwords
  • No characters from the last password

And the passwords have to be changed every four weeks. Of course, writing them down is forbidden, as that would weaken the security.

How are employees supposed to sensibly come up with these passwords and remember them? They will of course come up with a clever enumeration scheme that will just barely abide these rules. And I am sure none of them will have more than 12 characters. If they were allowed to have the passwords for more than four weeks, people might actually take more time to craft a sensible password. But this seems to encourage writing it on sticky notes …