The primary function of access controls is to restrict the use of information systems and other computer resources to authorised users only. Although more secure alternatives exist, password-based systems remain the predominant method of user authentication. Prior research shows that password security is often compromised by users who adopt inadequate password composition and management practices. One particularly underresearched area is whether formal password composition policies actually lead to more secure passwords and user security practices. Consequently, this study investigates empirically the efficacy of using password composition rules to improve password security. The results show that the enforcement of password composition rules does not significantly reduce the use of meaningful data. While the enforcement of rules does reduce password reuse, the overall incidence remains high. These passwords are also perceived by users as being more difficult to remember. Finally, the enforcement of password composition rules significantly increases the average Levenshtein's edit distance between the passwords and ordinary dictionary words indicating that enforcement does improve protection against dictionary-based attack.