The one I’ve noticed is that I have never encountered a system that both requires regular password changes and actually have anything anyone would want to access on the other side. No malicious actor wants to see company memos. I don’t want to see company memos, and I work there! Another one was to a system that allowed me to sign customers up for internet services. So if someone guessed my password they could… sign up new customers, I guess? I certainly didn’t have ready access to anything useful. Not seeing the downside to the company there.
I genuinely don’t think anyone ever asks the question “what’s the bad thing that can happen?” Because if they did, they might not think such rigour is necessary.
