At my work, the restrictions on what you can use for your password that controls your access to all interal systems is crazy. How can they impose higher restrictions on this compared to accessing online banking or stock trading accounts where someone could steal others' funds? Here are the rules which are much to strict for the importance. Severity: 4
Password Setup Rules:
1. Must be exactly 8 alphanumeric characters in length.
2. Must include at least one numeric character separating the alpha characters. eg: pass2you
3. Must not contain your user-id or any portion thereof.
4. Must not include your first name, last name, full name, or parts of your name.
5. Should not use any full proper name or certain key words.
6. The password cannot be the same as the last 16 passwords used (for iChangePassword).