I am currently an adjunct instructor at a local community college. The IT people there are, umm, somewhat anal-retentive. Us faculty and staff must change passwords every 90 days; hashes for old passwords are kept for 36 password changes, or 9 years. Passwords must be at least 10 characters, at least one of which must be a lower case letter, an upper case letter, a number, and a symbol. Students must change passwords at the start of a new semester. Multi Factor Authentication is provided using the MS Authenticator app on smartphones, tablets, Win10 boxes, or Macs. If I log into Canvas (the Learning Management System) on any browser, on Mac, Windows, phone or tablet, I must authenticate. If I log into Workday, I must authenticate… even if I use a tab on the same browser as the Canvas login. If I log into webmail, again I must authenticate. The authentication lasts for 8 hours, or until I log in with a different browser, including a different browser on the same machine, whichever is the shorter. I must then authenticate again. For each service. Logging in to a school computer on the school network does NOT log you into services, you must authenticate for each. Now, the password is the same for all services, but not for anything external; logging into the textbook site uses the school ID, but a completely different password. If someone got my credentials they would also have to get my MFA stuff, and school passwords would be useless for non-school logins.
Meanwhile, I used to do adjunct work for a different community college. I haven’t been there for six years. My credentials still work. I had a truly amazing amount of email.
Some school IT people are BOFH level. Some are Boss level. Or lower.