I recommend you change your password as frequently as you can. Read up on hacking terms and some common windows of vulnerability, like "leapfrog attacks," at the www.sans.org site mentioned above. Understand that any superuser or user can contribute to a hacker's attempts at gaining access to your system.
Locking a user's account after four or five attempts (at most) may seem an inconvenience, but it does prevent a hacker from repeatedly trying to hack an account using brute force (repetitive attempts using numerous combinations of characters) or dictionary methods (the use of common words, which many people use as passwords). Be sure that only administrators can unlock this account, so if need be you can verify that it was really the user attempting to access his or her own account.
Where are your users writing those passwords down, and who is around when they use them?
Have you talked with your users about putting passwords on sticky notes under their keyboards or monitors, or jotting passwords down on their calendars? Watch for this!
If your users enter their passwords in front of others freely, or even worse, share their passwords, you are allowing them to jeopardize any security you may have. Talk to your users about these things. Put up instructions on your intranet or in a human resources package for all new hires.
What is the formula you use to generate passwords?
I won't spell out what I use, but most ISPs recommend that you use a minimum of eight characters -- a combination of upper and lower case letters, numbers, special symbols, etc. And never use words, names, birth dates, or social security or drivers license numbers. The most common passwords hackers try (and sysadmins use) are "sex," "god," "love," "password," "wordpass," and so forth. It may seem a pain to remember a password like "xT8~u9Ro," but that password gives you enough time to use it and change it before it can be cracked. Check out those hacking and password-cracking tools.
Where do you store your user ID and password lists?
This is a trick question! You should never store user IDs and passwords. Shred them, burn them. Never leave them lying around. If your users forget their password, assign them a new one. Otherwise, you're just giving potential hackers a million ways to get into your system and look like an authenticated user.