My company has solid security policies which seem to be oriented at best practices. And I am very glad that they don't enforce nonsense policies that would actually weaken the passwords that users choose. That of course isn't the case with every company. There is one particularly arcane case. They have these rules for passwords:
Every now and then I create an account on a new website. Since numerous websites get breached, I choose a unique password for each website. All those are stored in a password manager. If you want to have a feeling for the number of breaches, look at Have I Been Pwned. Those are only breaches which became public, there are probably many unreported cases for each public one.