@Trevor_Potts - Very Good Article
So good, I have registered on the register for the first time in 12 years of reading to contribute!
Management buy in is the most important thing in these situations. I especially like the idea of e-mailing managers with read receipts switched on. That way you can track the inevitable majority who don't bother reading your e-mail and who need a more direct interaction.
But in terms of getting users to submit to password security policies, that is actually very easy. You simply flip the script. Rather than making it seem like an edict from those "geeky, jumped up freaks in IT", you sell it. Remember secure passwords are for THEIR protection. After all a compromised password can really put an end user in the merde. Passwords are not only used for securing resources but as part of audit accountability. If Freddy Feasy has been writing his password down on a bit of paper, sticking it to his monitor and using it for the last 3 years, when the inevitable data breach happens, the sacrificial lamb tossed to the prosecutors or discipline board will be pretty obvious. This is particularly effective with those users who INSIST on sharing their passwords with significant others.
But if the carrot is your preferred educational tool (and you have the time and patience) I would recommend demonstrative Password Security training. The reasons for this are simple. To most end users, passwords are a barrier between them and their computer. It's only after they see "the most difficult password they can come up with" cracked in 0.2 seconds, that it suddenly all makes sense. Then all those special characters; numbers; upper-case and lower-case letters; maximum password durations and preventions of reused passwords make a little more sense.
Biting the hand that feeds IT
