Yeah... I don't know anyone who writes it down on a post-it next to their computer, but we do have a 90 day policy, and my password strategy is not quite what the GP described, but it's not too far off, either. That's the stupidity of just not allowing us to create a really great pass-phrase that would take years to break. That's all on top of two-factor authentication (RSA SecureID) when not signing in from our internal network.
The stupidity is that on systems that have multiple users, we have a shared account that we use - it's actually assigned to a large number of systems; these are not user's desktops, but graphics productions systems that any number of operators might use. The problem is that the IT department implemented this password policy without asking any departments about the effects, and after 90 days we were blocked from this account because none of the operators had the authority to change it, and if they did they'd lock out everyone else who didn't know it - many offices, or even buildings away. Moreover, none of us get the email from that account - which doesn't even really have email, so nobody got a warning the password was expiring. So we do live TV, and people couldn't log into the systems that generate the on screen graphics. Of course now that login is an exception, but it points out a problem with IT blindly creating a policy without input from the people it's affecting.
The other stupid thing is that our MS Office accounts are tied to our logins, and we can authorize up to 5 boxes. There are at least 100 production boxes, and we can't license them by box. We do a lot of daily production data in spreadsheets because it's easy for the user and easy to use as a data source.
In any event, the more passwords humans are required to remember, and the more complicated they are required to be, the less secure we're going to make things as people do skirt the guidelines to make them as easy to remember as possible - or they write them down, or whatever.
Frankly, I don't see what's wrong with the scheme the GP described (although I would make it more complex). If someone has to brute force decrypt it, it will still take just as long. With the special characters in there, it's highly unlikely someone could guess it. It's true that once they got it once, they'd be able to guess it correctly later on, but the idea is to make it hard to get even once.