Working much with security, this makes me want to cry… Still I can understand it from a private citizen point of view.
Years ago, I did a job for a Norwegian branch of a German company with a strict security policy. As it turned out it was a virus throwing a party. Long story short, every computer disconnected, server disconnected from the net and cleanup. The interesting part of the story is that I found the password for the user on a post-it notes in every office, either under the keyboard, on the back of the monitor or even in plain sight on their desk!!!
It reassured my attitude that IT security will only ever work as long as it is with and not against the users. This particular German company had lowered their security to almost zero by applying a too strict policy for humans to overcome, and this study confirms my findings.
What they should have done was to educate about password managers and complexity for master passwords, not only enforce a policy… It will simply never work.
We are only humans after all