Information security judgments of the sage and teacher Yin Fu Wo, recorded by his students
Chapter 1. About employees
One day, the Sysadmin complained to the Teacher:
- We gave all our users individual passwords, but they do not want to keep them secret. Write down on pieces of paper and stick to the monitors. What should we do? How to force them?
Yin Fu Wo asked,
“First, tell me why they do it.”
The sysadmin thought for a moment and answered:
“Maybe they don't consider the password valuable?
Is the password valuable in itself?
“Not on my own. Valuable information that is password protected.
For whom is it valuable?
- For our company.
– And for users?
- For users, apparently not.
“So it is,” said the Master. – There is nothing valuable for our employees under the password. It needs to be.
What is valuable to them? the sysadmin asked.
“Guess three times,” the Teacher laughed.
The system administrator left enlightened and made personal pages for all employees on the corporate portal. And on those pages the size of the salary was indicated. Upon learning of this, all users became worried about their passwords. The next day, in the smoking room, they discussed the size of the salary of the Chief Accountant. On the third day, no one could see the slips with the passwords.
forensics.ru/InFuWo.htm

Unfortunately, I don't have any experience with this issue. However, I saw a funny system in one office.
Any person who sends a message from someone else's computer (some kind of messenger) with his email address receives 10% of the salary of the person who forgot to log out.
The team there was extremely bitchy and everyone kept their password like the apple of their eye.

We have a specially trained person in the position of security officer (Security Officer), who regularly walks around the workplace and looks at open sessions, passwords on pieces of paper, etc. If he finds a computer without supervision with open access or pieces of paper with passwords, then he opens the mail from the employee's computer and writes something on his behalf. For the first time, it may be sending out messages to all employees like: "I'm the coolest, and you are all suckers." It's kind of a joke, but it works 99%. If a person is caught a second time (we only had one), then the security officer writes a letter from the employee’s computer to the personnel department with a request to postpone the vacation to the end of November. We didn't have a third time. :-)

Who is struggling with passwords on pieces of paper next to the PC?
Shredder?

April 01, 2004
Determination of liability for violation of the TPIB is undoubtedly one of the most important sections of the policy itself. If there are no effective penalties for violating the policy, then the policy itself will not work. This is an axiom. In this article, the author shares the experience of "closed offices" in the fight against internal violators of the requirements of the Information Security Policy (TPIS).
www.securitylab.ru/analytics/216341.php

And most importantly, the task of protecting data in the organization (passwords, tokens, encryption, etc.) should be set by your manager. At our work, the head of the enterprise does not care about passwords and data protection (he himself has a password of almost 12345), all my exhortations about security, etc. received with a smile. Now I look at the pieces of paper with employee passwords on the monitors with a smile.

I think it is treated only by wage fines.
This, of course, if your users set their own passwords.
If passwords are issued by a system administrator, then in any case, at least for several days, this password will be stored by the user somewhere on a piece of paper or in draft messages on the phone until the user remembers it.

After work, you change the password on pieces of paper, destroy the old one.
And in the morning of the next day you “wake up” work.

You can enter fingerprint scanners.

There are solutions 4 as a rule:
(1) if there are corporate devices (for example, employees' phones, etc.) - then update the password after logging in according to the old one, and the new password is sent to the employee's personal device
(2) bind personal correspondence, level h. P. etc. to the employee's password
(3) fines, fines and more fines - on a progressive scale - i.e. first $5, $50, $500, $5000 - this will help employees understand that passwords should not be written on pieces of paper
(4) use tokens instead of passwords, and embed smart cards into the token to enter office premises - this solves the problem if the token is lost, then the person will not enter or leave the premises (and of course, the token itself must also have a password)

It only means wrong organization. If someone might be desperate to read someone else's mail, there are different solutions other than opening a password. For example, forwarding letters during an employee's vacation. Or a group address for such contacts, so that all interested parties can see the correspondence. Someone else's password may be needed only from laziness or mediocrity of admins.

kepassx, before that there was an exсel file, some I remember, for some there is a mask and I also remember, for example, a word or phrase and add the name of the resource to which you need a password, type Russian words when English is on: f,
hf [f,h

We have it easier. The main work program logs user actions. If another sat down and messed up, it will fly to the main user. Users are warned about this, and therefore passwords are not posted anywhere.