Here's a new concept that will help reduce locked accounts for Corporate users permanently:
It's called, "close enough technology". When typing in your password to log into a machine, how many of you fat-finger it, and how often? Do this a few times in a workplace, and you may require someone to reset it. Add in several thousand employees, and you now have a full-time position resetting passwords.
But honestly, how many of you want to be the password Nazi, if the users DO know their passwords--they just can't type in the mornings without coffee?
Close Enough technology allows the platform (Linux, Windows, OS X) etc. to "understand" your password even though you mis-type it, and be able to match it within a few characters (globally or group-level configurable) and still let you in.
Here's how it would work:
1) Type in your username, which obviously will have to match, because you can actually SEE it onscreen.
2) Type in your password, but in this example, if your password were "letmein", but you typed, "letnmein" (accidentally adding the extra "n"), the technology would know that you really knew your password, you just didn't type it in correctly. The machine lets you in.
NOW! Also configurable would be the number of times you can fat-finger the password (say, 1-3 times), how many extra or fewer characters, and how many completely wrong characters, before the platform requires an exact match of the password. THEN, the exact match must be met within x number of tries before the account is officially locked out.
I feel this still to be quite secure only because the username must be matched, so similar multi-user passwords could never be used unless the username were shared.
Comments welcome. I reserve the right to suggest this idea to other entities.