I agree MORE can be done to improve security, first step being STOP promoting and using these poor practices. It is not just poor security, it is a time wasting exercise that cost money. I used to work for a NHS hospital and one quarter of the time of the large Service Desk team was wasted resetting passwords. Imagine the time that the healthcare personnel wasted!