Re: Although passwords are poorly managed...
Yeah, the conflicting results you mention are the result of yet another flash in the pan idea to "fix" password re-use. The idea went something like this:
If you make the "complexity" rules completely arbitrary and wacky for every site, people can't re-use the same password everywhere.
The problem being is that it fails to accomplish that end reliably, and inflicts pain an annoyance everywhere consistently. It is now considered unfashionable.
We need to just stop trying to fix them. There are much better, easier, and more secure ways to do this. FIDO, TOTP, and phone or hardware tokens run rings around passwords. Once you get there SSO is easier.
Something else that would be good is getting more of these systems off their custom built login windows and onto something with a more modular interface. PAM meant that *nix based systems could update or swap authentication sources or methods W/O ripping up the front end.