Yes. I think there are two points in here. There's the cyber-awareness training and the passwords, so we'll talk about both.
For the passwords, yes, there should be more standards. They're actually easily set by policies. You should set more policies on it. That can be mandated in legislation. It would be more clear. When I look at MITS or at requirements, it's not always clear what the password guidelines are. It's not prescriptive enough.
Absolutely, that's just one example. You probably want to do away with common and known passwords that people choose often. You want to try to make sure that they don't choose dates that are reflective of their own personal history and that an attacker might also already have.
There are ways of making sure that gets legislated and then enforced. That's a very good example—