[Head416]

What is in our control is to not require excessively long, frequently expiring passwords. And we can implement systems that authenticate against a common credential store (eg, AD-integrated apps).

If a user has credentials in a dozen independent systems, all with different rules and max ages, of COURSE they're going to write them down.

The worst I've seen is a password written in pen on the actual white plastic of the monitor! That was an accounting manager at a bank.