I happen to know a Systems Administrator that is currently waging a battle against a truly ridiculous password policy.
Based on the other content around here, you’ll no doubt figure out that I’m a software developer and not even one with a specialization in security. This is fine: my defense is that we should probably all be thinking about the role passwords play in our lives, especially those of us building applications and maintaining infrastructure. You might also strongly, strongly consider using some variety of password manager with something that generates sufficiently random gibberish.
In my world, I would consider bad password policy to be a usability problem. If you ask people to constantly change, if you add complexity requirements, if you have a small minimum character limit then you’ve just created a wonderful race-to-the-bottom situation in which your user is going to be so tremendously annoyed that they’re going to do the very least possible to scrape by. I may be speaking from experience, and the experience may have helped inform a better policy where I’m working.
I argue that the reason for this is simple: you’ve stripped away the abstraction that allows them to be unaware of the systems behind the scenes. They don’t want to be aware of those systems – that’s our job. Instead, they want to actually do the thing they set out to do.
Listen, with how much damage an organization can inflict on itself with garbage-tier password policies, there is really no excuse to be introducing arbitrary complexity with a laughable length requirement and frequent resets.
I would encourage you to read the open letter above and exert any amount of pressure you can if you’re aware of truly awful policy that concerns the most basic of security measures.
Unless you’re the kind of person that opens the front door wide before going to sleep at night.