Block lists contain passwords constructed of character combinations that otherwise meet company policy, but should no longer be used because they have been deemed insecure for one or more reasons, such as being easily guessed, following a common pattern, or public disclosure from previous data breaches.
[9][10] Systems that implement such policies sometimes prevent users from picking a password too close to a previous selection.
Bruce Schneier argues that "pretty much anything that can be remembered can be cracked", and recommends a scheme that uses passwords which will not appear in any dictionaries.
[13] Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination.
Where confidentiality is mandated by law, e.g. with classified information, a violation of password policy could be a criminal offense in some jurisdictions.
consider a convincing explanation of the importance of security to be more effective than threats of sanctions[citation needed].
The level of password strength required depends, among other things, on how easy it is for an attacker to submit multiple guesses.
Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen.
At the other extreme, some systems make available a specially hashed version of the password, so that anyone can check its validity.
The study concludes that sites with more stringent policies "do not have greater security concerns, they are simply better insulated from the consequences from poor usability.