We use a 30 min timeout with a 6 character with no complexity required. We also put the "Owner" message when the device is locked to show the users name, company name, and a msg saying if found please contact our 800 number for our helpdesk. I thought there was no way in hell we would ever get an honest person to call. But funny thing in 3 yrs we have had 5 devices lost that the person that found it called our helpdesk. But when if comes to password policy you have to consider your business. You have to think that financial firms would have a much more strict policy than your avg company. So I don't think there is any wrong answer on the timeout of the password policy....as long as you enforce it.