I work in schools.
My first act upon taking on my most recent job, for a large prestigious prep school, was thus:
- Stop the stupid automated 30-day "passwords must be reset" that generated dozens of calls every day as various people's password expired when they were off-site, so they couldn't log in remote, and wouldn't let them use any password they've used in the previous year resulting in - I kid you not - things like P4ssw0rdFeb2014.
- Stop the stupid length restrictions on AD passwords and a few other services ("You must have a secure password but hey, you can't have one THAT secure"?!).
- Actually implemented password retry limits on the remote desktop (Literally, WTF?!)
- Encourage all staff to choose a handful of REALLY DECENT passwords on the promise that I wouldn't expire them literally before they got back from half-term.
- Totally refuse to implement remote-password changing, which would have been at great expense both in money and security. You want to change your password? Come prove who you are to me rather than be some random IP on a web interface. Your password is compromised? TELL ME and I'll block everything from getting in as you, from email to access control, and then I can also check and have something to tell the Data Controller should access have been compromised.
- Print out and display the relevant XKCD cartoon, especially emphasising the bottom part:
https://xkcd.com/936/
- Once a term, stand up in the relevant staff meetings and say "Is it time to change your passwords?" and leave it at that.
Instantly, much less crap passwords, no more Post-Its stuck to work-area monitors used by particular people, much less staff stress, much fewer helpdesk calls, zero compromises, no children guessing staff passwords, much more honest staff when they think they may have revealed their password (by typing into a spam email link or whatever) and the number of password resets just "because I've forgotten it" plummets even among the children.
And the biggest complaint now? Their Apple IDs have onerous password requirements so a few of them have just changed one of their main passwords to be "Apple compliant" too.
As the first act in a new job, it generated a lot of buzz, especially from my boss (the Data Controller). At that point I dug out the relevant word of law (part of which only says "regularly", not "frequently" - once a term is regularly, as is once every ten years) and copied in articles like this from a variety of sources.
Number of queries of the policy since doing that, even from Data Controller, external audits, inspectors, governors, etc.? Zero. Reason I have the job? Last guy lost all their data, so they are crawling up my backside about everything from disaster recovery to remote compromise to cyber-blackmail to encrypting viruses. But radical password policy that means my users have more secure passwords and much less hassle? Zero.
It does help that I'm a mathematician, though, I think, so I can literally explain brute force numbers in seconds in a way they can understand. Password compromise is something that isn't affected by the length and strength of your password, and that's infinitely more likely. And brute force is much more unlikely on a random English sentence with perfect spelling and grammar than some hard-to-remember, impossible-to-write-down concoction just to satisfy having numbers in it.