Engineers as Stanford recently unveiled a new password policy that shuns one-size-fits-all security. This has been followed a system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche. This proposes a system that provides rewards or penalties based on the passcode choices people have made.
The example given is one as follows:
A user who picks "test123@#" might be required to change the password in three days under the system,. The three-day limit being based upon calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months.
An interesting concept, and on that would avoid forcing users who have made a sensible password choice from being forced to change their passwords because some other less careful users choose ‘easier passwords’.
The full article is here.