And unless there is a minimum password age some people will just change it 20 times and then back to the same password.

The worst part is it actually leads users to boasting about how they `beat the system', essentially telling their coworkers what their pattern is, making the password easier to guess.

I have long felt that organizations that require password rotation for employees should, when the users are changing their passwords, record and post the old password to an internal site (without any identification of the user) for educational (and mockery) purposes.

That will help attackers. People often make passwords similar to their old passwords. A machine learning model could be trained on this list.

Myself and most people keep our login passwords written on paper in our desk because of this stupid practice. Can't use previous passwords and new password every 90 days. This is on top of 2FA.

Are you saying that "old one + number" is less secure than "old one"? That doesn't sound right.