My network login has become progressively simpler as I have been forced to change it. I use KeePass and unique/random 20 character passwords for every website that I log in to. But not for work. It used to be "Quite hard and very long password". Now it's "NotVeryHardPassword7".

Yup, I'd use whatever super-duper random stream of consciousness my password manager cares to emit where it not for the fact that I have to change it regularly. I'd let the password manager handle the logins if the Windows GINA (or whatever it's called these days) didn't require me to type the whole thing. But if I ever have to type the password somewhere, then MyPassword12! it shall be rather than something that looks like line noise because I'm not muscle-memorizing a new 30 char password every 90 days.

You only have to change it once a year? Such luxury. I have to divide by four to figure out how many years I've worked here. Thing is, when the topic comes up it seems that everyone on my team openly admits to doing just that (static PWD with incrementing integers on the end). But they didn't hire me to secure their network, so if no one else cares...

My employer requires that all passwords be rotated every 180 days unless the password is at least 14 characters, then it's good for 365 days.

I maintain a user-facing system that expires passwords after 120 days, no exceptions, and I've tried in vain to get that restriction lifted.

Not only do you get poor passwords like that, you also get water cooler chatter about how users "beat the system" by using companynameApr2021!

Nothing worse than users blabbing details about their passwords like that.

The usual answer to that is to dictate a minimum difference policy between credentials (meaning you have to provide the previous password at the point of change as it can't be read from elsewhere if properly stored, but that is usually the case as a check against someone changing passwords using a session that is accidentally left unlocked). That can lead to passwords-on-paper which is an issue itself, though not a high risk if security against remote attackers is your only significant threat profile.

yup. Even password managers half the time fail to properly capture a password change so that the easiest way is simply to increment the password, then add that increment in the password manager - instead of going through the trouble of generating a new random password which may or may not end up getting saved.