Credential management is a mess at many organizations. Even though password changes are (in the best case scenario) enforced, this is done without understanding of the underlying risks and concepts.
Password complexity is being set without understanding or taking into account the psychological constraints preventing people from remembering such passwords – which automatically leads to people writing them down or otherwise bypassing the purpose of setting complex, frequently changed passwords.
In relation to the above, I just love this XKCD comic: https://xkcd.com/936/
It explains the idea pretty well: people don’t understand complex passwords and complex passwords are not necessarily more secure.
INFOSEC professionals need to understand that more complex does not equal more secure. More usable and reasonably secure is much better.
Helping people remember passwords or providing them with additional usable forms of authentication is important. This is especially valid for system administration personnel, who need to remember dozens if not hundreds of passwords for all kinds of enterprise systems.
If you do not provide them with a well maintained, usable and secure system to manage the different passwords for all the servers and devices they manage – people will always reuse passwords. It is inevitable.
The idea of using a sentence (with the spaces) has surprised many of my non-technical friends in its effectiveness in terms of memorization and security.
Also… why do you really need to change a password every month / 3? Do you really think that forcing people to change their passwords every one or three months is making their passwords more secure? It is the opposite. At some point people start writing them down or using very insecure and easy to guess changing patterns, such as adding a digit and rotating from 1 to 12 through each month of the year… please stop this practice, it’s dangerous. A well-chosen password changed every 6 to 12 months is more secure than an easy to guess pattern changed every month.
That is why using an enterprise-level password management application essential. One example of such software is PasswordState – http://www.clickstudios.com.au/
Web-based, well integrating with Active Directory – one could not ask for much more. Look for well-maintained and frequently updated password management systems, evaluate, test – you know how the process works.