I always hate mandatory expiration dates for passwords -- just in principle, I consider it a questionable policy from a security standpoint. Most people aren't good at thinking up passwords, and I suspect that they wind up with weaker passwords since they have to keep figuring out new ones.
That's become less of an issue for me in recent years, since I was introduced to a good mechanism for dealing with it: I go to my iPod, dig through my vast collection of favorite songs, choose a suitable line, and leet it a bit arbitrarily. Pure and consistent leeting doesn't help security much, since it's a straightforward transformation. *Inconsistent* leeting and abbreviation as I do it strengthens security enormously, though, since it makes the search space much larger. I'll leet some characters a bit randomly, abbreviate some words, transform some words into symbols but not others -- the result is pretty unpredictable, even to me. The result is a passphrase that's pretty easy for me to remember, but hard to predict even if you knew what song it was taken from. (Usually a pain in the ass to *type* for the first couple of weeks, due to the transforms, though -- it doesn't simply flow from my fingers since it isn't real words. Right around the time I completely get it into my fingers, it expires and I have to start over.)
There's only one problem with this approach: I have to remember the line that I chose, and I get paranoid about it. So the result is that, for the week after I choose a new password, I am *utterly* earwormed with the song I chose the line from. It's all I can do to keep from humming it constantly. Fortunately, I always choose a long I like, but it still gets pretty annoying...
I download a couple of zip files on a monthly basis that are password protected. The password doesn't change often, but it's a random machine generated alphanumeric string. There's no way I can even begin to remember it and as I only use it once a month, it's not worth the brain cells.
So I print out the email they send with the password and keep it buried in a 3 inch binder that's stuffed full of boring technical stuff that no one will ever read. If I ever need to unzip one of these files from a year or two ago, I'll need to know what the password was then. If I ever leave this job, my successor will also need to know those passwords.
A wonderful example of what happens when the admin and the end-users are at odds with one another...
As for the aggregator, I strongly commend LastPass. That's what I've been using for the past year, and I quite like it. It has the right security characteristics (rule number one: any serious password vault should say upfront "If you lose your master password, we can't send it to you"), has all the important features nicely integrated (including "hand me a new highly-random password"), and is very convenient when you are on a dozen different computers as I am. (I will admit that I have incentive to proselytize: I want the company to survive, so I want them to have lots of customers.) Password vaults are a bad idea conceptually, but this is the best implementation I've found...
I'm not a betting woman, but right now I would put a significant amount of money down that at least 50% of the company has their password on a sticky note somewhere at their desk. I think the system would actually work better if we were all prompted to create an appropriately secure password, and then allowed to keep it. But I'm an end user - no one care what I think...
One of the other sites I frequent has forbidden the use of special characters in passwords, which boggles the mind even further.
... okay, that has to be due to some sysadmin who took a one-day course in security and *utterly* failed to understand what was being talked about.
(Or, conceivably, some ill-considered desire to be "fair", on the theory that, if the third "Mr. M Waks" is going to have to be "mwaks3", the first such person shouldn't get an unfair advantage. That would be typical bureaucratic thinking.)
One of the other sites I frequent has forbidden the use of special characters in passwords, which boggles the mind even further.
I'd bet that their internal security sucks. The only likely reason for such a rule is that you're doing some sort of transformation or storage of the passwords, in a way that assumes alphanumerics. (Or, possibly, that their database code is bad and they are scared of someone playing SQL injection games.)
Basically, any such rule indicates that they don't have faith that the password is simply a random string that they can treat as an opaque blob -- and it makes me nervous when a site is that nervous...
And yeah, the song sticks in my head pretty heavily, too.
At work I have to deal with a bunch of systems with different (mutually-exclusive) rules and cycle times for passwords, so I have finally been forced to start writing down the inputs/clues (not the actual passwords, of course, just an unambiguous path). I'm not sure this is actually making my passwords stronger.
Microsoft: Changing Passwords Isn't Worth the Effort