Passwords are such a week security mechanism. It is so typical for people to use one or two passwords for every online account they have. If someone gets that password (perhaps a sysadmin at a web site that you use) they could use it to open all kinds of doors.
Having recognized that, I am not a big fan of web sites that try to prevent that. Today I was reviewing an account I have with GMAC Finance. They require a password with two numeric characters. I cannot imagine anything with two numbers that I can easily remember. Especially at a sit that I visit infrequently.
However, I can top that. Ministry’s Retirement Savings vendor, Diversified Investment Advisors, requires an 8 character user name. What is the sense in that? I can see an 8 character password, but the user name is the part that should be really easy to remember.
In the hospitals we have hundreds of applications. Buying products that plug into our Active Directory authentication scheme is being more and more critical. When you ask your users to remember a lot of complex passwords that change frequently will result in people writing down passwords in places they can find them.