It does not appear that anyone considers the real risk in the computing industry - that anyone with access to a system can intentionally or accidentally breach it at any time regardless of the safeguards in place. Instead, we go about hindering trustworthy people in their work.

With respect to frequent timeouts (3 min for example) has anyone considered the risk that the more times a password is used, the more opportunity there is for it to be sniffed? Who is it that decides what is acceptable risk and on what basis does he/she make that determination?

That brings us to two-factor authentication. An example of this is where a user' pin is combined with a dynamically changing numeric key (which the user gets from an RSA device - don't leave home without it!) to constitute a password which is entered along with their username to be authenticated to a system. I am quite sure this brilliant scheme was invented by a freedom-deprived communist or third-world country ingrate.

It seems to me that all of it is quite arbitrary and not based on data sensitivity gradation.