Today I went through the process of setting up online access to the second of two bank accounts and linking them together. I just encountered more horrid practices in security policy than I ever thought I'd see in one day.

Managers, can I get your attention for one sentence? Lumping arbitrary restrictions on your users' passwords doesn't make them stronger.

Another thing I ran into that's just an interface issue is not checking that the password and confirm password fields match until submit is clicked. Come on, we have event listeners and web components' render templates now that make it trivial to have an indication appear whenever the content's unequal.