Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it’s something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get “hacked”, which is usually just another student logging into their account and deleting their assignments.
A school I used to work at had a folder with student passwords for various services at the front of the computer lab. If a student forgot their password for a service, they just went and looked in the folder. Maybe they’d even get their mates’ passwords for them while they were at it!
I did try to get the policy changed, and offered to teach staff and students how to use a password manager, but apparently remembering a single password was far too complicated, and it would make it much harder if you needed to log in to someone else’s account.
lmao