I toyed around with the idea of a password risk score.
Password reuse across accounts (with known breach) = 100% Password reuse across account = 90% Unique external password = 30% Unique internal password = 20%
Divided by password complexity... or something similar.
In this way user is encouraged to maintain good passwords by not being penalised (changing every few months, etc).
Of course, this would require something between service and user, such as a password manager.
I toyed around with the idea of a password risk score.
Password reuse across accounts (with known breach) = 100% Password reuse across account = 90% Unique external password = 30% Unique internal password = 20%
Divided by password complexity... or something similar.
In this way user is encouraged to maintain good passwords by not being penalised (changing every few months, etc).
Of course, this would require something between service and user, such as a password manager.