In a (non-rail) company I worked in IT for some years ago, it was routine for staff, if you asked them for their account name, to give you the account name and the password. Although it wasn't a safety-critical environment, it was a confidential one, and there was genuine potential for important information to be accessible by unauthorised people.
I don't know how the habit began, though I imagine it was something quite innocuous, but it was the devil's own job getting them to break it.
And, as has already been observed, enforcing excessively stringent requirements on password construction generally makes it far more likely that passwords will get written down on scraps of paper.
What we IT types forget is that it's actually all about the people: we may be able to cryptographically demonstrate that a minimum ten-character password of mixed case and containing at least one digit and punctuation symbol is far more secure than a "letmein" type password, but it's irrelevant if people can't remember it, and even worse if they are forced to select a new incomprehensible password every six weeks (per my last employer!).
Systems that don't need logins shouldn't have passwords - even Windows has a way of allowing an automatic login on power-up. Systems that do need passwords should have policies that balance the need for password strength and security with ease of remembering. And, if that's too hard, there are any number of two-factor gadgets and tools around that will let people authenticate using a simple password and a cryptographic token.