Here are a few password policy suggestions:
* PW's should be a minimum length, and should be case-sensitive
* PW's should contain a mix of upper and lower case letters, numbers, and special characters
* No dictionary words
* PW's cannot match the login ID. Similarly, if you know the user's real name, the PW's cannot contain either the first or last name
* PW's should expire after a reasonable amount of time. Previous PW's cannot be reused (meaning you should retain a history of say, the last 4 or 6 passwords each user used)
The trade-off when it comes to passwords is simply that a really good password would be random (eg, "eR5z4jNy+M") but which also makes it very difficult for a person to remember. Plus, if those kinds of PW's expired after say 30 or 60 days, realistically people would end up writing down the PW on paper and taping it to the PC or underneath their keyboard.
In order to overcome the "hard to remember" factor, some companies are implementing a pass-phrase rather than a password. Similarly what you could to would be to have people create a password using the first letter of a favorite quote, song lyric, or whatever. Example: "Sounds like somebody's got a case of the Mondays" becomes "SlsgacotM" which appears quite random, but should be simple for the user who selected it to remember. Good luck with it. As I said the main issue IMO is just finding the right balance between having your users adhere to good PW policies while not making them so hard to remember that people are forced to write them down in plain sight. -- J.W.