For 04/01, we created a new password policy: whenever any password in the enterprise changed, all must be changed. After all, it's always the oldest passwords that are weakest, so it follows that all passwords must be simultaneously changed. Several people commented that they liked the guidance on acceptable passwords. For instance:
Additionally, your password and personal verification may not:
-Match the name of a first or second cousin (however third cousins and beyond are acceptable).