Comment by b0a04gl

that line "useless password expiration policies" kinda undersells the real damage honestly. it's not just about annoyance or people incrementing numbers. i've seen orgs where users literally email themselves passwords just so they don't forget the new one every 30 days. the entire system becomes hostile to secure behavior. no one talks about how these policies quietly push people away from good opsec habits. like the policy itself becomes the threat model.