I’m not at all shocked.

I detest sites with requirements to include “one lower case character, one capital letter, one number, no multiple identical consecutive characters, at least eight characters…”

(These are actual (partial) requirements for an Apple ID password.)

The whole username/password thing needs to be abandoned. They, along with stupid security questions are little more than security theatre.

(The article is from 2013, but the sentiment remains.)