I've actually known people who, when required to change their password, would change it 5 times in a row, then back to the original password in order to keep using it.

Guilty as charged.

It's why mandatory change policies are so stupid. Users will always sacrifice security for convenience.

Even those that know better.

This is why many systems - I've seen it with Microsoft and Salesforce - set a "minimum password age". Which is usually a minimum of 1 day.

This way, you can't change your password more than once a day. This makes quickly cycling through to get back to your original password hard.

This is amazing: "guaranteed at least 24h of exploiting a recently compromised account or your money back"

Yeah, I've tried that. First day in my new job. “Here's your PC. Your user name is [some initials] and your password is abcd1234". I sign in and immediately proceed to change my password to something that doesn't suck. I keep getting an error message about my new password not meeting the complexity requirements. Super confusing... I give up.

Next day: I can now change my password.

Turns out that I couldn't change my password the first day because it had already been changed to abcd1234 that day. I was not impressed.

It is internal joke, you 'forgot' your password, so you get something like 'Spring2021' from IT as password reset. Now you pick a target account, trigger account lockout. Most of the time, the target is confused and gets a combo, account unlock and password reset. Now the IT guy who does password reset ... uses seasonal passwords which of course can't be changed for 24 hours.

Oh this is clever, I’ll use that next password rotation so that my password doesn’t change in effect. We must change every 60 days where iWork, and it doesn’t work well so some systems still use the previous password, some still use 3 passwords ago, etc. It’s random though, you never know in which systems the password change will take and in which it won’t)

Worse is when you're developing software against those other systems, and within a few minutes of logging in, your account is now locked out.

I went to a college with that problem. After your mandatory password change, any device autoconnecting to wifi would trigger a lockout. Since the same password was also use to log into network computers, there was no way to visit the webapp to unlock your account.

Unless you had data on your smartphone or had a friend who was logged in, you were SoL.

Slightly more tech-savvy users will just use a password manager... called "passwords.txt" file saved on the desktop.

Won't work for the Windows password, but with more and more corporations outsourcing their tools to the cloud, system account password is rapidly becoming the least important one (like it already is for most people's personal devices).

Back in the day, I changed my password 13 times every month in order to reuse the same one again. Super secure!

Absolutely. Worked in SAP (the variant used by last place anyway). Don't think it was as many as five, three maybe, or change it and change it back even.