I do security testing, in an average enviroment a strong password ( 14+ chrs upper & lower case alpha numeric with special chrs) can be cracked by simple progs like l0pht & john in 39 days. you want to set you password max age to a max of 30, and the min age to a min of 2 with the last 12 -15 passwords remembered. this will help to increse security, oh and make the at lease 8 chrs not 6