You’re missing the point, I believe. People will do what they feel they need to do, which in many cases is going to be leaving a list of passwords somewhere convenient. Your users who are not giving you any trouble are the ones that are already doing this.
Actually those who do it are told not to when we find out and their supervisor is brought into the picture. Since we, or a PC tech, are at their desks any time they have a problem we check quite regularly. Plus we got most of the supervisors on board.
It is really simple, if the user cannot manage 4 passwords that change every 90 days then they don’t need to be working with computers. Heck, if you are smart you can set it up so that all 4 passwords expire at the same time and use the same password for all the systems. (note, we don’t tell users about that but it isn’t hard to figure out)
Guess what? It really isn’t that hard. I’ve got way more passwords than that and I remember them all. They change anywhere from every 30 to 90 days and I don’t get to a lot of them.
We really don’t mind resetting passwords, unless it is a daily type thing, and we get it done within 20 minutes, day or night. Having been woken up too many times to count to reset someones password I know all about it.
I fully understand what a pain passwords can be. I also understand that weak passwords are worthless. Our physical security is top notch, it is a casino so there are cameras all over the damned place*. The big issue is insider stuff. Not too long ago I got pulled into an issue where a user was apparently trying to sell information to a competitor. For a ton of money. He got busted and fired and will never work in a casino again. Gaming doesn’t like that kind of stuff. Nor do we. So we take the best steps towards security that we can. It isn’t onerous.
Slee
I set up some switches for our surveillance guy so he could test some IP cameras. Those things rock. They have a feature where you can select someone on the screen and it will follow that person from camera to camera through out the casino. He was having kittens about that. It is really slick.
What, you search their desks? 
You’ve got a “feature” that will make life easier for your users (and whoever is on call for passwords) and you don’t tell them about it? What the fuck are you thinking?
In the Navy, I have the following:
NKO
NRTC
BOL
DFAS
PDHA
Citibank GTCC
CAC PIN
NMCI email PIN
NMCI secret word
(others I am forgetting)
The websites require a password that includes a capital letter, special character, a number, and a minimum number of characters. They are too complex to remember and frequently need to be changed so what does everyone do? We write them down. So much for security.
On the civilian side, there are a metric ton of passwords and logins as well. Based on suggestions here on the SDMB, I bought 1Password Pro for my iPod Touch. This type of software should be native to the iPhone/Touch.
When I used to work at a place that had such a requirement, I sometimes used the month and year codes as the changed digits, *viz.,*on August 1, 2010 it could be Password0810 and next month it could be Password0910. You could use an easily-remembered ! in place of an i, as well, for the special character.
According to security expert Professor Eugene Spafford , “Forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat - unless the password is immediately changed after each use”.
This requirement makes little sense. And as noted upthread, it is particularly appalling when combined with a requirement that passwords be less than 8 characters long.
Furthermore, “Most security advice simply offers a poor cost-benefit trade-off to users,” according to Cormac Herley, a principal researcher for Microsoft Research.
http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/
“For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.”
The process is simple, change all your passwords at once. T’ain’t that hard to figure out. Since they all last 90 days and the systems are independent there is no problem doing this.
We don’t tell our users because this *decreases *security because if someone gets one password they get them all. Of course, on the other hand having multiple passwords can cause the users to write them down, which also decreases security. Trying to find the right balance is hard. Of the two, I think I’d prefer that users did not use one password for all the systems.
Slee
P.S. We don’t search the drawers. However anything in plain sight (like under the keyboard) is fair game. Half the time people have all their passwords taped to the monitor. Ugh.
Yeah, but a) I’m using an app which is more secure than Excel and Word, b) the file name and location make it unlikely to be even noticed by someone not specifically checking every file looking for a hidden password file, and c) the most critical passwords, such as my bank accounts, are only saved as cryptic hints. Not perfect, but better than nothing. I may look at a dedicated password safe when I move to a new computer, though.
All you’re doing is making people put their passwords in their wallet. Just waiting for a wallet thief. Do some of your employees carry company cards of any kind?
But it’s not 4 passwords. It’s your 4 passwords. Plus the PIN for office voice mail. Plus the passwords for their home computer, their online banking, accounts management for e-mail and web accounts of all sorts, PINs to home and cell phone voicemail, ATM cards, maybe even a password to get into their cell phones. You only care about those 4, but you cannot ignore that people are dealing with a lot of that same sort of information and doing their best to work out a way to have it all when and where they need it.
Mine too. I used a generic format like CountryYear, with a vowel replaced by a special character, e.g. Br@zil1224, and then would ‘wrap’ one character each time I had to change my password:
Br@zil1224
r@zil1224B
@zil1224Br
etc.
At the end of the wrapping cycle (i.e. after 4Br@zil122) I picked a new country/year combo and continued on.
This obviously does not help with any of those hyper-vigilant systems that prevent you from using any of the same characters that were in the previous password, but those systems are clearly ridiculous anyway! 
[quote=“Caiata, post:51, topic:548594”]
The one I was referring to was basically 3+ of the same characters in sequence, regardless of where they showed up. So if you had the password of:
03!M4rch
…you couldn’t use
M4rch03!
M4r03!ch
04!M4rch
etc.
Basically the effect was you had to come up with completely distinct passwords every time, and thus the only real way to remember the password for this system (which I didn’t use everyday) was to write it down someplace. Stupid. To make matters worse, you had to change it every 30 days, and there was no grace period – so, inevitably, it’d be right in the middle of some critical issue that you’d end up locked out and a password reset was required. Of course, getting it reset for any reason was a pain in the ass, too.
The company that used this threatened to search desks every month for passwords – though they never actually did – so I hid it in some personal possessions. If they wanted to search through my purse, wallet, and portfolio for passwords, they could go fuck themselves.
I walked into work today and about half of the PCs were locked out, including mine. By the end of the day I was still without access. Not a password issue, but an admin problem that they are working overnight to fix.
As much as I bitch about passwords, I guess I am really glad that the lack of access today is the result of too much security. It would be much worse if it was due to someone breaking in and hosing my data, and the five minute delays seem sort of trivial when you have 8 hours of no access.
The problem is that it’s not clear what changing the password does. As stated upthread, if a burglar steals your key, he doesn’t wait around for you to change your locks.
And c’mon. If a hacker lifts a password that reads whatever07 in July and it doesn’t work in August, it’s not like he won’t immediately try whatever08. Password expiration policies are security theater. They are probably worse than useless, as they discourage people from using truly strong passwords.
Heh. This is why I’m happy to be back in customer-facing work. Help desk always gets shafted by poor decisions made by idiot admins.
We had a problem where people spontaneously couldn’t use their network accounts. First one, then the next, then the next. At first, the admins basically said “That can’t happen” (ever a useful suggestion) and told us to submit tickets and they’d, you know, look at it at their convenience. Once we started working together and figured out we’re all getting these weird calls and submitted an outage ticket, we got an earful… until about half an hour later when a whole bunch of people showed up, including some VIPs, with the same problem. Not everyone, just enough to show there was a big problem.
Finally, I asked, “Okay, something has to have happened to cause this. What changed yesterday or today?” “Oh, well we migrated some accounts from the [project] domain, but these people weren’t on the list, so it can’t be that.” “It seems like a migration happening at the same time that this happens is a pretty big coincidence.” “It can’t be that.”
I started calling people back. “Hey, are you on [project]?” The first person says, “No, but I was, years ago.” The second person says, “No, but I’ve helped them occasionally.” The third person says, “Yeah, well I did up to last year.” And so on and so forth, everyone I talk to has a connection to this project.
I call them back with this info. “But they’re not on the list…”
I get a hold of an admin with half a clue and he says, “Hang on a sec.” <clickety-click> “… um, let me call you back.”
It turns out that whoever did the migration migrated all accounts from [project] domain into the main domain. This was just supposed to be done for accounts that were on the list - those were the people on the project. But the admin had assumed that only people on the project had access to the domain. The admin hadn’t counted on years of laziness meant that access to the domain hadn’t been revoked for dozens of people, and that information had overwritten all the information on their main domain account they had been using for years. Theoretically, you should have only had access to one or the other, other than a very small number of people in cross-over positions (a separate list)… except nobody had bothered to check.
About three days later, the whole mess had been sorted out, when another domain migration began…