The company I work for recently revised their password policy to "increase security", requiring us to change our main login passwords once a month, and that all passwords must be at least 10 characters, contain a lowercase letter, an uppercase letter, a number, and a symbol. This is completely illusory security - given that our login system locks your account after three incorrect attempts, a brute-force attack is never going to be a sensible method. But the frequently-changing, hard-to-remember passwords mean that I suspect at least half the employees have their password written on a Post-It somewhere.