1,2   A bigger danger than PW cracking or keyloggers may be PW reuse.  Thus if the user uses the same PW on 'Suzie's House of Kittens' and (some secured site), a DB breach at Suzie's could compromise the 'more secure' site. Allowing password managers like KeePass dramatically reduces this problem.  The VA, eg, doesn't allow USBs or installing software on user machines, so this is a problem.  

3       Security experts know users are generally not able to choose good passphrases. With offline crackers now using expanded PW dictionaries, PWs like "givemelibertyorgivemedeath" are no longer secure.  Then there's Wordhound, which scours Twitter accounts, industry pubs, etc. for material relevant to just one breached company.  Users need help choosing good passphrases.

4       An 8 char random string, even including (UPPER, lower, numbers, specials) is probably too short.  Four truly random words is probably secure. As we know, longer is better.

**Suggested Change**:

1,2   Install OS password manager (eg KeePass) on all machines by default, and encourage its use. KP can addin Readable Passphrase Generator and others.

3      Install OS Passphrase Generator for use at the site a new password is needed, or better yet, auto generate a good memorable passphrase. "THE willing trowel PULLS a hinge" or "hinge trowel oxygen blue" are better than "MetsFan86"

4     Stanford's policy-"Which characters are required in my password? Answer: That depends on how long it is. The shorter it is, the more restrictions "

Why do we always over complicate the simple?

What’s this, passwords are being hacked? You have t0 u5e 0utrageou$ CoMb1NaT10N$ t0 stay ahead? Add more characters, lift that shift key, tote that $ymbol!

HALT!!!        Breathe….in, out..., in...., out... Ok we have lots of tools that can be employed here and many have additional benefits. 

Biometrics it’s at your finger tips (har har). The fact you employee has the same password for their home email, media service, and cute kittens daily website is no longer a problem. Also people normally don’t forget a fingerprint over a long weekend.

Put the already required ID badge to use.  You want to enter the building or use a computer? You need your ID badge. The password hint is even universal! “It’s around your neck”. You can even combine the badge AND your finger tip. If your badge is stolen or lost, we hope you maintained your fingers.

Stop taking the Rube Goldberg approach to computer security. *Porcupines would make for some interesting workplace safety policy* Besides the moment I see flaming hoops in front of my keyboard, I’m going to take a more serious look at self employment.