We have a fucktonne of standards for physical security
ISO this, BS that,
How come - in an industry that fetishises standards - there isn't an ISO/RFC standard for authentication that mandates password hashing, etc etc. Possibly with a account recovery procedure appendix.
30+ years in IT, and we are still having to fix the roll your own brigades fuck ups. Because yes, your little postcode validation routine must be better than something tried and tested for decades.