Some years ago I gave a lecture to some computer science postgrads at UCL. At the time they were doing a lot of research in to this issue and other password related matters. Perhaps you can find a copy of it on the web?

What I hate it is things that make you change your password periodically. I think, empirically, this is almost certainly going to reduce security, because you end up having to write it down. And what does it add? If someone gets your existing password then chances are they'll do the damage the want to do in the month or so before you have to change your password.

Another thing that is stupid is the use of asterisks when entering a password on a tiny little screen, like a mobile phone - how many times have you been typing a code/password in to a mobile phone and feared someone watching you? If someone you really didn't want to know was behind you wouldn't you just not type it in at that moment? It's fine for cashpoint machines, maybe okay for computers, but mobile phones? It's daft.

Anyway, I'm off to set everyone's PPRuNe password to 'password'.