Microsoft researcher Cormac Herley recently published a paper casting doubt on the economic value of following conventional password policy recommendations. Whether you agree with Herely or not, his economic analysis is well worth reading.

Security Watch has a nice summary.