Re: Ahhh passwords...
I started work at one company, as their first IT Manager. Until that point, they had had external contractors running their IT. This was a company with a couple of hundred employee, working on 3 sites.
When I started, the first thing to do, was to change the administrator password - but the accountant didn't want that, because all the wanna-be admins wouldn't then be able to log on! Then there was the user passwords. The consultant had set everybody's passwords to "12345" and they couldn't change them "for ease of support."
I then checked around the server configurations and the first thing I spotted was, that all of these user accounts with password 12345 also had Exchange mail, with OWA exposed and mobile device access open... So anybody, anywhere in the world, with the email address of an employee of the firm could log onto the web portal and give the password 12345 and they were in...
A hectic morning of going through all accounts and disabling OWA and mobile access and setting the "change password at logon" flag... Followed by wailing and gnashing of teeth and a stern word from the CEO for "disrupting" his business...
Curiously, the company went into receivership shortly thereafter...