Yep, "Passwords should be protected in a manner that is consistent with the damage that could be caused by their compromise." So I guess they could start jotting them down on memo pads. :cool:
It's smart to avoid needless exposure of users' passwords, and in this case I think you're needlessly exposing them. Most of all you're needlessly generating complexity, thus lowering assurances. What type of access control mechanisms in this program are used to protect the "Password Strength Programs data base" from unauthorized modification and disclosure?
If your goal is to educate, launch a "Security Awareness" treatise and have them signed. "To assure security awareness among the user population, it is recommended that each user be required to sign a statement to acknowledge understanding these responsibilities."
If a particular users password is not meeting your standards....well.... in a mature environment the SSO would've swiftly taken care of that. Just use the "password lifetime" method. A maximum lifetime of any passwords can be forced through the systems policies.
Consult the TFM to have a better understanding of how a secure facility should be run on many points.Code:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy