Password length
I was once doing a review of security at a government agency which had offices all over the country. In the local office there was, according to their security officer, a minimum password length set of 10 characters. The SO wanted to come with me as I interviewed staff, and I said ok, but please don't say anything, and the staff might just say things that surprise you if they forget you are there.
Well, two ladies were interviewed together, and I asked about the length of their passwords. One was adamant the hers was only 8 characters, and she tested it (without revealing it), and it was only 8 characters.
The SO was quite surprised and, fortunately, impressed. There followed a review of the IT security implementation (by him not me).