[Cryptography] Possible reason why password usage rules are such a mess

[Peter Gutmann]

There has been some speculation in the past over why we have so many cargo-
cult password security rules that make no sense in any modern context, the
prime example being the need to change passwords periodically.  I've found one
possible explanation, the Ware Report, which talks about authentication words
more than passwords, and in a manner in which they resemble military
countersigns rather than what we'd think of today as passwords:

  Authentication words or techniques must be obtained from an approved source,
  or, alternatively, must be generated and distributed under the cognizance of
  the System Security Officer by approved techniques. Specifically, a user
  cannot generate his own passwords [...] Authentication words must be changed
  as frequently as prescribed by the approved issuing source.

Looking at a WWII-era field manual, that looks very similar to the
requirements for countersigns given in that.  Perhaps this could be the source
of so much of the historical baggage of unknown origin that's attached to
passwords, they came from military countersigns that were repurposed for use
with computers.

Peter.