I am totally fed up with the varying requirements for passwords from just about every IT department of every new organisation who "require" you to use their internet service to continue doing business. In days of yore, the requirement was usually a password of 6 characters. I therefore developed the policy, as I only browse the internet on my home machines to use two passwords: one for the bank and one for everything else. My bank passwords were never stored, but my other password could be depending on the problems that would be caused if anyone was to "crack it" and I doubt if anyone were to crack my PPRuNe password, I would be financially embarassed. Since those days, the IT executives have been reading their computer manuals and requiring, in addition to 6 or 8 characters, a capital, a numeric and another symbol - or maybe not. As a result, whether I like it or not I have to "remember" a large number of different passwords so that I can monitor my relations with such organisations as British Gas, Eon, Scottish Power and many other organisations of similar ilk. I got so fed up with the "increased security" demanded by British Gas not so long ago on their paperless billing system by requiring a password revision that I stopped paperless billing and they now have to, once again, mail me every three months!
With other similar organisations where I cannot avoid their "fancy passwords" I write them on "post-its" attached to the edge of my monitor! Highly security concious aren't I? But then if anyone is interested in the current balance of my electricity account - what good will it do them?
Having to remember user names is a similar pain. If I use my real name to register this, somebody will have beaten me to it and although a small change or addition will facilitate registration, it is invariably a different change for each organisation! Most organisations seem to have realised this by allowing one's e-mail address to be used instead, but there are still a few who bar the use of the "@" character in user names!
When my bank first gave their customers internet access for banking purposes they continued their internal practice by requiring passwords to be changed every month. On changing them, the old passwords used were recorded so that they couldn't be used again. Thus, every month, an individual's internet banking was brought to a halt while imagination was used to invent a fresh, memorable password. Eventually, inspiration became exhausted so the post-it system had to be used for banking access!
At last, the banks became so fed up with repeated telephone calls because their retail customers had forgotten their latest passwords that they dropped the system and have now found other techniques to maintain a good level of security without requiring their retail customers to use their powers of memory to excess!

Today the whole password system is a mess and for one reason or another significantly reducing the security that it should be able to provide. Unfortunately, the only way forward that I can see is another government quango determining the security required by any website and determining the level of security that the passwords it requires should be able to offer. Either this or let the customer determine the level of security required by permitting, say, a minimum of six characters so that anything can be used including capitals, numerics and symbols but not REQUIRING their use. If security is then breached, then it is the customer's fault.

P.P.