One day the Sysadmin complained to the Teacher:
- We gave all our users individual passwords, but they do not want to keep them secret. Write down on pieces of paper and stick to the monitors. What should we do? How to force them?
Yin Fu Wo asked,
“First, tell me why they do it.”
The sysadmin thought for a moment and answered:
“Maybe they don't consider the password valuable?
Is the password valuable in itself?
“Not on my own. Valuable information that is password protected.
For whom is it valuable?
- For our company.
– And for users?
- For users, apparently not.
“So it is,” said the Master. – There is nothing valuable for our employees under the password. It needs to be.
What is valuable to them? the sysadmin asked.
“Guess three times,” the Teacher laughed.
The system administrator left enlightened and made personal pages for all employees on the corporate portal. And on those pages the size of the salary was indicated. Upon learning of this, all users became worried about their passwords. The next day, in the smoking room, they discussed the size of the salary of the Chief Accountant. On the third day, no one could see the slips with the passwords.
Judgments about the information security of the
sage and teacher Yin Fu Wo [1],
recorded by his students
forensics.ru/InFuWo.htm

Approve the information security policy (where to register, among other things, responsibility for the safety of your passwords), familiarize employees with it against signature and apply disciplinary sanctions (reprimands, cancellation of bonuses, etc.) for violations of it.
Well, of course, before the "first blood" it will not have any effect.

I saw the password on a piece of paper - I changed it to something 16-character on the full set without the right to change it. Well, a password policy is also, of course, needed. Written on paper, signed by management.

only ogr measures, accept the IS policy. Introduce responsibility for non-performance. Well, of course, another option is to walk and collect "papers", but somehow not very much.