The Cybersecurity and Infrastructure Security Agency ("CISA") in the US has published a list of bad practices.  This is guidance from a...