Niki Simpson was in the conference room waiting for the training session to begin. She was at the session because her user account credentials had been used by an unidentified attacker, attempting to access the school computer system. She had been an employee of the local school district for 12 years, and this was her first formal training in information security. Three hours and thirty minutes later, Niki closed her workbook. The trainer said, "And that concludes the basic information security training session for school district employees. Are there any questions?" Niki raised her hand. When the trainer acknowledged her, she said, "OK. I understand that the district policy is to have a twelve-character password of nonsense syllables that are changed by the system every 30 days. I also understand we are not supposed to write the new passwords down on anything. Any suggestions on how I am supposed to remember this password?" The trainer said, "I really can't say. I suppose you'll just have to memorize the new password before you clear the screen when it is assigned to you." Niki's mouth dropped open. She said to the trainer, "That's easy for you to say, but I think I'm going to have a hard time with that." The day after her remedial security class, Niki got a call at her office from the help desk. The technician on the other end said that her account had been reset and she could log on again and her temporary password would be her employee ID number and then the last 4 digits of her social security number. A short while later, she was ready to try to connect to the system for the first time in a weekher access had been suspended until she took the training class. She turned on her computer, and after it had booted, she entered her username and password as instructed. The next screen that opened said that her password had been reset. It displayed her new password as a series of twelve letters, numbers, and special characters, and then pro- vided a brief mnemonic nonsense phrase. She saw: HA YU M2 KA Y! I7 Hello All, You're Unhappy, Me Too, Keep Apples, Yes Bang, It's Seven Niki looked at the "helpful" nonsense phrase and just shook her head. She was going to get another one of these every month! She reached for her yellow sticky notes and started writing down her new password.

1. Does the school district's password policy seem to be effective, considering the needs of the employees affected?

2. How would you suggest the district IT department adjust its password approach?

3. Consider how your recommendations might improve or degrade compliance with the policy. How would your suggestions alter the strength of the passwords?