Re: Passwords
IIRC, it's been shown that people will use the most easily remembered/guessed password they can get away with within the confines of the defined password policy when said policy forced frequent changes.
On the other hand, people will choose a more complex, less easily guessed password if it's significantly longer but only requires a change every 6-12 months and is, in turn actually more secure.
Irhmbawhwrny1666 is probably more secure than Pa55wo0d26!
(FWIW, I Really Hate My Boss And Wish He Would Retire Next Year 1666 :-)
The initial letters of a long but memorable and personal phrase is easier to handle than a short complex, random sequence and more secure.
Disclaimer: IANAsecurity professional and may be talking bollox.