>Most "weak password" checks I encounter will bounce "password" but allow "Password1". Pointless.
Indeed. At my previous company (a certain large blue one) we were forced to change passwords constantly and weren't notified of any unauthorised login attempts. Password rules were strict - you couldn't use abcdefgh1 then replace it with abcdefgh2, for example, but it was fine to use 1abcdefgh then replace it with 2abcdefgh. After 8 password changes the password left the history so you could reuse these.
Similarly, on my phone, I was forced to replace my difficult to guess 6-digit PIN, with the phrase 1qqqqqqq (which was then replaced with 2wwwwwwww etc.)
Some people don't get it. How about the way the BBC reported this "news" and gave this advice?
"Swapping letters for numbers and symbols can make your password even more difficult to guess. So, a capital G looks a bit like 6, we'll swap F for 4 because four begins with f, L and I both look like 1s so that's an easy swap. The @ signs are a good alternative to the letter a. It probably goes without saying, but ours is just an example and not one you should use.
Use an @ instead of an a? A 1 instead of an l? Wow. Hackers will never think of that.