@JaredBusch said:
I prefer a 12 month or non-expiring password but at least 16 characters long. Complexity can go fly a kite. Those only cause users to write things down.
Finally! For a long time I thought I was the only person who enforced this policy. Even as a part of GPO on our domains I set it as minimum of 12 (due to the entropy at the time), but basically turned down the complexity. Even some of the more non-technical users have extremely complex passwords now that they don't need to write down, because I encourage four random words with maybe a number or two between them.
And hey, if you wanna get inventive with the spelling, go ahead, if it's easier for you to remember, helps against broad dictionary attack as well. More experienced people will try cracking passwords with multiple words and even numbers, especially these days, but obviously even some crap like (3fOe38!45b is not only easy to crack, but also hard to remember, and I'm still baffled as to why this is encouraged. I'm sure you're aware of this, but I'm just saying it for people who may not realise that complex to remember does not mean complex to guess.
