(no title)

Where Do Security Policies Come From found that the websites with the most aggressive policies were those with the least incentive to make the system easy-to-use. Big sites like Facebook and Paypal somehow manage to be safe without the strict password requirements of <random university intranet here>. Likely because they have financial incentive to make their systems easy-to-use.

https://www.microsoft.com/en-us/research/wp-content/uploads/...

(Disclaimer: I know one of the authors)