I'm just wondering about the way things are normally done in other companies.
In my experience "anything goes".
I have seen companies where the user is free to use his/her own devised password (the same BTW that he/she uses for Facebook, Gmail and to access online forums), which is evidently wrong, and that given the user is called John Doe and is born in 1978 ends up in any of "johnny78", "johnnyiscool78", "mabel08202006" (mabel is the daughter of John Doe, born on 20th August 2006), etc.
This password is usually asked by the IT Admin for *anything* even when it is not at all needed, and not only it is exchanged by telephone, e-mail, sms or post-it, but it is jolted down, together with the identification of the machine/workstation/terminal to which it belongs and with the login/user on either a blackboard or on a notes on the IT Admin desk, in the IT Admin office (which is accessible by everyone inside the building).
I have seen companies where the user passwords are actually issued by the IT Admin and the user CANNOT change them (which is more or less the way the thing should be managed) but among them I have seen *anything*:
- the password is (given that the user is called John Doe and is born in 1978) "jdoe78".
- the password is (for the same user) generated by a pseudo-random-hyper-mega-secure-algorithm and is "=)#§rWtGGoo04056-/66xA+"
In case #1 there is an Excel Spreadsheet listing all machines/login/users and passwords on the corporate server in a folder open to everyone and a printout of the same worksheet either on the IT Admin desk or pinned to the blackboard in his room.
In case #2, since the user cannot possibly remember it, the password can be found neatly handwritten on a post-it in the left-hand folder of the user's desk.
Once every three to four months a document accessible exclusively from the given user PC is urgently needed and since the user is on holidays or the like, the password is spelt (spelled ) c-l-e-a-r-l-y and very aloud on the telephone, and jolted down on a post-it that is pinned on the user monitor until he/she comes back and removes it.
Of course exist a lot of "security oriented" companies, which manage the matter more properly, usually adding to a good password management some hardware form of authentication, like badges, fingerprints or similar, but they are not usually the "norm".