In light of all the data breaches and passwords being exposed, it's time to implement two factor or multi-factor authentication for remote access.
Lets face it, we're all human. We access too many remote sites and with the explosion of SaaS and personal and enterprise cloud solutions we have an explosion of password credentials.
We're now looking at having to manage hundreds of passwords. It's no wonder that passwords are getting reused. Granted, password management systems introduce their own keys to the kingdom problem.
As IT and cyber security people, if we allow end users to craft their own passwords, it's impossible to tell if it's unique across multiple sites. If we force an arbitrary cryptic mix of characters and long length then we guarantee it gets written down or stored insecurely.
Bottom line we need to accept that our user passwords are almost certainly not unique and probably discoverable via breaches. We have to employ multi-factor encryption to mitigate this concern.