Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
A school I used to work at had a folder with student passwords for various services at the front of the computer lab. If a student forgot their password for a service, they just went and looked in the folder. Maybe they’d even get their mates’ passwords for them while they were at it!
I did try to get the policy changed, and offered to teach staff and students how to use a password manager, but apparently remembering a single password was far too complicated, and it would make it much harder if you needed to log in to someone else’s account.