Someone Tell PCI
Totally agree with all this; but others need to come on board with the same sense - in my case, PCI, which is the source of all the stupid requirements I've had to implement over the past few years, including all the "secure but actually insecure" things described above, like having to include punctuation and forcing a change of password every 6 months.