I think these points do seem valid at a first look but get seriously in your way when applied all. We have here some brain dead SAP system which does enforce a password change every 3 month where I must pick a new password which is not forbidden by about 12 rules and a big negative password database. This results in many password changes where I get a sensless error messages that my new password violates one of the rules or is on the black list but I does not say which rule I did violoate! Now I generate a random password write it down and I am fine with it. Some do even store it on a file on the PC because it is easier to look up. Password security is overrated because the admins seem to have lost the sense for real security threats. At least we have a password that should suffice. My money at my bank is much unsafer there. I can go there and transfer money from anybodies account to my own account. If the signature does roughly match (they check only above 10k$ anyway) then the money is gone. There is no passport check no foto or bioscaner at my bank! Why should I secure my e.g. salary database so tight when the real money is much less secured? Whhen I write my passwords down and put it into my pocket they are equally safe as my money. If my password is stolen now my pocket with the money has also gone. This sort of safety is enough in 99% of all cases. And no I do not put my pin number of my master card into my pocket but it is stored in a safe place elsewhere.

Good post, and I like the ideas. The only one I have to mention is enforce password strength policies if you are an admin. I know a lot of administrators of domains that don't have a password strength policy set.