Who owns the passwords that you or your users use to access your network or application?

If you don’t know, then you have a problem.  Your users hopefully memorize their passwords, but therein lies the rub.  If an accountant has gone to the trouble of memorizing a complex password then they are very likely to be tempted to use that password for other systems.  Maybe the corner hardware store’s web site requires registration.  If they use the same username and password that works on your systems and top it off with entering the company email address then your security now depends on the security of the corner hardware store’s web site security (provided it isn’t actually run by a hacker)!

Tell your users in writing that the passwords they use at work are company property and must not be used on any other systems.  Put it in writing like any other company policy and ensure they know that failure to comply is a terminable offense (and mean it).  If you don’t then forget about security, it won’t help you in the end.