Of course people tend to fixate on passwords, things like how long is yours, does it have special characters, etc. In my experiance the biggest internal security threat comes from people simply not locking their workstation when they run to get coffee or go to talk to their supervisor, etc. I've had devellopers thinking they were smart and by passing our lock out policy. That stopped quickly after a couple of them left for the weekend and didnt log out. when they came back monday they had sent an e-mail inviting everyone in their team and the tech support team for a drink to celebrate their birthday. .