Are we still on this "change your password regularly" kick?
If you use a different password for each system, changing the password does little (unless the system has already been compromised). What the forced change does result in is people writing their new password down and sticking it on their monitor, or under the keyboard. I've walked through many law firms just thinking about how easy it would be to take the post-it note off a screen and get access to all their files (not that I would, I'm a good lawyer, and am more likely to point out the flaw to partners).
Yes, many people will use the same password on different websites. They should be encouraged to use an individual password on systems and sites that matter, meaning they only need to remember several passwords. Forcing a regular change just encourages people to be even more lazy, and write them down, and does nothing to stop brute force attacks.
Biting the hand that feeds IT
