Re: As a non-security person
"...fail x times and you're locked out' method".
On the face of it a sensible approach, but it does not work as well in practice as one would hope or assume.
A previous employer had a strict password policy (8-16 characters, mix of at least one letter, number and special character, monthly changes, last 10 passwords prohibited, automatic log-out after ten minutes of no keyboard activity and only three unsuccesful logon attempts).
You will not believe the endless problems that that caused - I am sure at least one third of calls logged concerned passwords.
First and foremost was forgotten passwords (especially bad on a Monday following a password change the previous Thursday or Friday - I would be swamped by calls the moment I walked in the door (and I was usually 30 minutes early); also almost no-one could remember a password upon returning from leave or an absence of more than a week), followed by locked-out users.
Lock-outs presented an interesting problem: at one stage we suddenly had a spate of locked out accounts every weekday morning (all machines had to be left on overnight, so that security updates, virus program updates and policy changes could be run after hours). I initially suspected a problem with the scripts or the DC or maybe the AD server, but everything checked out fine. Also, it was just one building complex in my branch that had the problem.
Then one night I decided to stay after hours (I discovered from the logs that lock-outs took place between 17:30 and 18:30 every night) to see if I could catch the culprit, as I had begun to suspect that it was deliberately done, since lock-outs ran roughly sequentially in seating order, suggesting someone moving from machine to machine.
Lo and behold! In came a bevy of cleaning ladies who whipped out damp cloths and proceeded to vigourously clean each desk, keyboard and monitor! (I should mention here that usernames were automatically populated, as there were a number of complaints about having to enter both a username and a password - surely the computer can do a little bit of work as well?). So obviously, the third time the "Enter" key was hit, the account got locked out. The sudden emergence of this problem was because the business had changed their cleaning service provider and keyboard cleaning was top of their list of things to do.
Password strength was also a problem; despite the restrictions enforced, users kept using easily guessed passwords (Qwert1@3, or password1!, etc).
I eventually resorted to suggest that they use easily remembered mnemonics (and choose your own, thank you, do not use my example), like Ihhtcpem!-12, which would stand for "I hate having to change passwords every month! - xx", where xx would be the month of the year. That way they only needed to change the last character or two and still have a reasonably secure password that is easily remembered.
But yeah, despite all that a large number of users used to write theirs down and hide it under the desk blotter or the keyboard, or write it on the calendar (obviously on the date of the forced change, as everyone waited until the last day (we used to have a ten day warning period)).
Password change requests I particularly hated was for mid-month changes, when some girl broke up with her boyfriend and did not want to be reminded of him every time she needed to log on. I used to refuse to do those as punishment for ignoring my sage advice about good passwords, until we got a central Help Desk and SLA's.
<---- Paris, obviously, for the disconsolate girl being forced to enter an ex-boyfriend's name.