>> “the security controls are severely lacking” <<
.
And false security, such as long,complex passwords, is choking government operations constantly.
The buzzword in some sectors of IT Security is “pass phrases.” Passwords are passé and a general threat to the integrity of most systems.
We enforce a 10-character minimum on our domain passwords, and users cannot reuse their previous 23 passwords. We hear a lot of complaints, but as user training continues, more people are glomming on to the idea that a long phrase, even if it’s spelled out perfectly, is better for security and memory than a single word fleshed out with numbers and symbols.