@Jason said:

@travisdh1 said:

@gjacobse The point is that forcing people to change their password even just 4 times a year means they will forget them, and be forced into using poor choices and/or patterns. Like @aaron I only have 2 memorized anymore.

Using patterns of added or changing special checerters would be better. Either one still prevents the likely hood of a brute force (along with lock outs).

that's the worst. That's what creates the security weaknesses that we commonly see today.

Far better to have one long, never changing passphrase than many short, regularly changing ones.