Users aren't the issue, the entire design of passwords is flawed. See how easy that was?
You're not going to change Human behavior. Even with long term comprehensively immersive training the learned behaviors are expressed less extensively within six (6) months of leaving the immersive environment (except for psychologically damaged people). It's hardwired into Humans to adapt to their present surroundings the laziest most efficient way possible, so Post-It notes...
Furthermore, there's a reason that I discourage my staff from having their own machine shops and labs at home, just like the military discourages the use of non military firearms while active. It's because 'at home' practices are always more efficient than workplace practices and the natural, unchangeable part of a normally functioning Human mind will always override the less efficient workplace practices even if the workplace practices are more effective.
Inevitably, you're going to get somebody who either forgets and crosses the streams of home/workplace practices or, even worse, does so intentionally and nobody is prepared for the change so you end up like me with half a pinky finger. That's the thing about workplaces, it isn't 'yours' and if everybody isn't on the same page things go wrong. Like the shady guy who goes around copying passwords of the Post-It notes everybody has stuck to their monitor (I do it too, I just put a security guy by the door to my office though, so it's cool. Perhaps that's the solution, private armed security for every person).
Humans happen, passwords are constructs. One of those things can be reliably changed or the systems underpinning them can be changed. Humans can't reliably be changed unless it's by their own choice. Forcing, or even incentivizing, change is only temporary and completely unreliable.
Bad tools force the user to adopt unnatural practices that are impossible to perpetually maintain. Combined with at home participation with similar tools and no active reinforcement it's actually even more dangerous. Good tools are designed with the user in mind and made so that fucking them up is nearly impossible (gas pumps at automobiles filling stations are a great example of a well designed tool. If you are able to get to one it's nearly impossible for you to fuck it up unless you're doing something extraordinarily stupid. You can't even return the nozzle without 'logging out').
So from an engineers perspective, passwords are the problem. It's Fundamentals of Engineering 101 which teaches you that you don't bother trying to change Humans (unless you're in bioengineering), you change the thing the Humans are interacting with to better suit their internal wiring as well as their varying degrees of intelligence and presence of mind. You want widely used anythings to be designed for the lowest common denominator and well labeled. That's why claymore mines say 'This side toward enemy' in three languages and have the nice little drawings of how to properly vaporize people using the device. It's why car keys can be inserted any direction. It's why plugs on computers are standardized. It's why the blaring 'stall alert' in our company plane speaks 'stall alert, errnnngh, errnnngh, errnnngh, stall alert' at the same time both pilots have nicely labeled 'stall alert' flashing lights on their panels, you can't miss it or fuck it up. That's what 'passwords' have to become.
Obviously, they won't be passwords anymore, but as someone above noted, it's discovering what they'll become that's the key. Sitting around blaming Humans for being fuckups is a fuckup in itself. Nothing useful comes from that and even thinking about it should set off your own internal stall alert. Unless killing all the people is an acceptable solution, but it takes the fun out of being rich you know. There's nobody to build nice stuff for you if they're all dead :)
Biting the hand that feeds IT
