Password Complexity in the Enterprise?

andrewa asks: "What's the deal with passwords in a corporate environment these days? The company I work for has introduced layer upon layer of complexity on passwords over the years, and now it is simply ridiculous. We have to enter a 16 character password each month that cannot compare in any digits to the previous twelve passwords, nor can it be a simple string -- it has to be a mixture of upper- and lower-case characters including numerals and non-alphanumerical characters. What's next? A mixture of non-keyboard accessible characters and several varieties of DNA? It's not like we are even a government institute -- we are a software company that does telecom stuff, for goodness sake. Anyway ... you know what this makes me do? Write it down somewhere. How secure is that? The question is, I think my company is completely anal with the password requirements, what other security policies are in place in other companies that either completely exceed the banality of my company, or -- God forbid -- have a security system that makes sense?"

That's not too strange

Those requirements don't sound too tough, though 16 charaters is a little long.

As for remembering strong passwords, my method is this: think of a phrase, take the first letter of every word, substitute in some h4x0r numbers for letters, and make a few letters uppercase. It takes an afternoon or so before I can type it without thinking.

Example:
Slashdot is full of bad grammer,misspellings and inaccuracy

=

s1F0bgMaI

The phrase is easy to remember; the number and uppercase substitutions come with repetition.

So what's to keep you...

[Flimzy]

...from simply rotating the password?

Jan: 0123456789abcDE_
Feb: 123456789abcDE_0
Mar: 23456789abcDE_01

You get the idea

No digit will ever be the same as the same digit in any previous 15 passwords. It contains numbers, lower and upper case letters, and a non-alphanumeric character.