[_8j50]

Because user education is hard+costly, you can't just so away with a policy without enforcing high-entropy passphrases or something that don't contain guessable patterns or leaked phrases.

But my favorite: out of date thinking by decision makers. Since you have 2fa anyways, who cares? Is one sentiment. We will have passwordless, replace our auth provider or whatever silver bullet who cares is another.

Just updating the policy and doing the hard work of user education and improved UX doesn't have a good cost-benefit ration and it doesn't show managers spending a lot on vendors and drumming up costs of the alternative to show they're actually also saving money.

The list goes on. Passwords aren't sexy anymore so they don't ger invited to budget dates.