But what about userIDs? 

Along with password changes is another end-user annoyance, the userID. Is your userID “first initial last name,” or is it something complex like “zmasa23?” Once again, the complex userID is more than just a cruel trick played on end users to prevent them accessing their computer: it is one more layer of security. If your name is Michael Seese and your userID is simply mseese, then your ID is at risk. If this is your protocol for corporate userIDs, then a company directory puts all employees’ userIDs into a cracker’s grubby hands. And one of those userIDs is bound to have a weak password. However, if your userIDs are a complex string of letters and numbers, a cracker has one more thing to have to figure out. Further, it can help to prevent a social engineering attack, in which a cracker calls the help desk, claiming to be “John Smith, with a wild guess at a userID of jsmith1.” If your userIDs are not using some version of first initial + last name, then the person taking the call would know that “jsmith1” is not a valid userID, and that the caller is a fraudster.

So yo see, we infosec guys don't make up these weird rules just to totrture you. We have our reasons.