This talk will describe the password policy at Pure Storage, which involves the security team actively attempting to crack employee passwords, forcing a change when discovered, and allowing them to keep the password. Nearly two years into this program, I will review our mature implementation and present an analysis of the collected password data demonstrating how this approach has markedly raised security awareness of our employees and improved the strength of their passwords. Day-to-day blue team security is hard and draining; this approach gives the defense team members a chance to play the role of attacker with a fun task quite different from their day-to-day.