passwords are mostly harvested in 3 ways: [...] and from just plainly asking people for their passwords.

Simply asking for credentials works shockingly well. You need one bar of chocolade per password: https://orbilu.uni.lu/handle/10993/26214 (via https://www.heise.de/hintergrund/Passwort-gegen-Schokolade-3245447.html).

And it becomes much worse in an environment were people trust each other. Just today, a co-worker showed me a really old piece of paper with his/her current (Samba) Active Directory password, which would give me access to Windows, mails, calendar, vacation planner, and other systems. The account name is trivially firstname.lastname, so just handing out the password is sufficient to gain access. The password is really bad, it can be found in every dictionary, and just adds one non-alphanumeric character. To make things worse, we have just finished migrating our legacy Samba NT4 domain to Active Directory, including a mandatory password reset for all users. And people simply reuse their old, insecure passwords hidden under keyboards, desk pads, or in the top drawer. And the really, really worst part of that password: It was the default passwort for new accounts used for at least a decade.

I'm a developer, but one day every two weeks is reserved for admin work. I can get root/Administrator access on all machines, and so I could bypass all ACLs and Unix permissions. I would not need anyone's password to get access to all data. So handing out a personal password to me technically does not make things worse. But just the fact that co-workers hand out their password at all is wrong. I don't want to know their passwords, I don't want access to their data.

I would really like to hire a trustworthy friend to repeat the chocolade-for-password experiment at work. Followed by a mandatory password security training, after asking who has got a sweet present.

Alexander