This is a perfect example of where the theory/practice divide comes back to bite us. In THEORY enforced entropy, scheduled changes, "blind" passwords that don't echo back a character, etc. all make our users way safer. In practice, most of the time they just piss them off and the users just recycle the same "entropic-enough" passwords on all sites, which they rotate through whenever bothered to do so.
Users haven't read the security texts and, if they have, they probably don't care.
Which isn't to say we SHOULDN'T design systems like that, it just means that we shouldn't be surprised when users circumvent our well-intentioned password policies.
Users haven't read the security texts and, if they have, they probably don't care.
Which isn't to say we SHOULDN'T design systems like that, it just means that we shouldn't be surprised when users circumvent our well-intentioned password policies.