As most people have pointed out, this is not a security problem, it is a behavioral problem. The more complex the password rule choices are, the less secure your systems will be. And the reason is that they are simply too hard to remember, thus yellow stickies and password sharing. In some cases, the helpdesk encourages password sharing with an unpleasant attitude as they fix locked-out accounts.
It's human nature. So there are a few paths to take.
The first is to provide a secure password storage method. The KeepPassword Safe program is an excellent tool. By providing a fast, yet highly secure source for all the user passwords, requiring different passwords for different places becomes fairly easy to handle. This is especially useful for network admins that (ideally) have a different password on every router, firewall, VPN appliance, etc. Get a copy from
http://keepass.sourceforge.net/ Another is to provide single-signon capability. This best implemented in LDAP, which HP-UX can have setup and MS Active Directory can participate.
Sill another is the secure token method which can be expensive but can eliminate shared passwords.
Another path is user education in the form of hard-hitting articles about security compromises and the serious business and financial consequences for the companys, their CEO's, CIO's and even their CFO's. Here are some great sources:
http://www.sans.org/newsletters/http://searchsecurity.techtarget.com/ And finally, you have to get buy-in for enforcing your company's security policy (WHAT? You don't have one?). Once your Personnel or HR director agrees (might be quite a challenge), then managers are directed to not only abide by these policies themselves, but take steps to see that these policies are communicated and then enforced for everyone.
Computer security is not much different than locks and keys.When users constantly have to borrow or check out keys, that's when unauthorized duplicates get made...
Bill Hassell, sysadmin
