Re: change your passwords regularly
@John Brown (no body)
"Users will always find the easy way, even if that decreases security."
This ABSOLUTELY should be a key factor in designing a password policy, The key is to make it strict enough enough that people aren't using 'password' but not so strict and unmanageable that people find a way around it.
The problem is that it's next to impossible to prevent people gaming the system by using a password that fulfills the requirements but is not very secure at all - Password123 for example, and it's just as hard to prevent people from writing them down.
The best thing, I have found, is to have a password policy that enforces basic good sense, 8+ chars, complexity (not really necessary) and 90 day expiry (to taste). Then you have to EDUCATE the users on how to choose strong passwords and why these are necessary - especially where remote access (like webmail) is concerned.
In some workplaces there is a lot of bickering and stealing credit and you need to tell people plainly that if they choose a weak password, one of their colleagues could just log onto their e-mail and steal their sales leads or whatever.
The trick is to get the users to be part of the process - to understand why it's necessary.