There are a lot of bad practices that become self perpetuating. I was involved in some PCI-DSS stuff at work and their password requirements are … not very good for end users. Normal users pick worse passwords when having to rotate them frequently, but PCI requires password changes every 90 days and you can’t use any of the previous 4 or 5 (too lazy to dig up the link), therefore encouraging users to do password1, password2, password3, etc.
I was the only person in my team whom had a random password; the system was pretty good at giving you easy to remember passwords to choose from like “frank+8Fell”. Everyone else ended up with adding an incrementing number or prepending a letter e.g password1, password2, etc or password, ppassword, pppassword…
There are a lot of bad practices that become self perpetuating. I was involved in some PCI-DSS stuff at work and their password requirements are … not very good for end users. Normal users pick worse passwords when having to rotate them frequently, but PCI requires password changes every 90 days and you can’t use any of the previous 4 or 5 (too lazy to dig up the link), therefore encouraging users to do password1, password2, password3, etc.
I was the only person in my team whom had a random password; the system was pretty good at giving you easy to remember passwords to choose from like “frank+8Fell”. Everyone else ended up with adding an incrementing number or prepending a letter e.g password1, password2, etc or password, ppassword, pppassword…