1) Teach users
Yeah... Here on planet Earth, it has been proven ad nauseaum that users are, by definition, unteachable. Assuming that they are educable is a profound security hole in its own right.
More, if you enforce security protocols on users, they'll usually react by taping the 16 letter super secure password to the bottom of their keyboard. Working with users means giving them something they're willing do deal with. Or, at the very least, can't circumvent.
One method of "more secure than the user wants to be" are tokens. Their password can be 1234 but that little fob thingy is more secure than they are. Users hate them, actually. But, they're secure.