One of the problems with passwords is when you ask people to remember too many ... at my previous job, I had around 20 passwords ... most of which I did not create myself. The result: I had to write some of them down, especially the ones I hardly used.

Human memory can only remember so much. Asking me to change my password constantly and remembering the last 20 passwords I used is going to decrease security.

I think there is a limit to what you can ask people to remember. Yes, give them an impossible password of 16 characters .... but let them use it for a long time. The more passwords you give them, the more likely they are to be written down somewhere.

This does favor the call for combining passwords with some kind of physical control such as biometrics to improve security.

And, let's not forget, forcing people to change the default password the first time they log in.

Cheers,

BrainStop