An organization that gives users access to computing resources via a password mechanism needs to ensure that they perform certain secure behaviours if it wants those resources to be protected adequately. The research problem this thesis seeks to address is the question of how the likelihood of users performing these behaviours can be increased when some of those behaviours can neither be enforced nor monitored adequately. The primary substantive contribution of the thesis is a grounded theory model of the process users go through when choosing password-related behaviours in the absence of any organizational efforts to influence this choice. The model is subsequently extended to incorporate the effect on user behaviour of password regulations and their associated punishment regimes. The thesis then presents a discourse-analytic investigation of the interpretative repertoires users draw on to describe aspects of password security, and of the effect of those repertoires on users' password practices. This investigation also shows that users might at times structure their discourse about password security issues in a manner that makes it possible for them to justify malpractice. The use of discourse analysis to investigate these issues is a methodological contribution to the field of human-computer interaction. The opportunistic use of quantitative data that had been collected prior to a re-conceptualisation of the research approach is used to examine the extent to which users violate password regulations. An analysis of all the qualitative data collected allows a first insight into the specific insecure behaviours that users choose in particular situations. Persuasive password security, an integration of all these findings into an applicable approach to improving user behaviour, is presented, and specific recommendations on how to improve users' password practices in organizations are made.