complete failing of organizations to have or heaven forbid enforce policies about password practices
Most of the time the problem is the opposite. Absurd policies and a delusion of the password being important to the user. And lately, the retarded concept of the security questions that the user cannot choose (or can choose from a set or around the same 10 in every site).
For like 95% of the sites I don't give a shit if my account if hacked. I use the same password for most of those sites (if they are too retarded with requirements I might add a few 0s or #s at the end). If you make me change the password even if once a year then I'm not going back to your site because I don't care much about it in the first place. So I'll forget the new password.
-Passwords on sticky notes on monitors.
-Passwords shared with co-workers, that have not been granted access.
System does not require default password to be changed.
None of these are user problems. They are system design problems which I can translate to this:
- They make me change the password every 90 days, so I have to write it down.
- Danny needs to access credit card information because it's part of his job to do refunds but they won't give him access because for some reason that also means they have to give him access to XXX (they have one permission for two things) so I have to type my password at his terminal 10 a day. I cannot be interrupted that much, or I might not be around, etc, so I just let him use my password.
- My sysadmin uses the same default password for everyone.