I have long felt that organizations that require password rotation for employees should, when the users are changing their passwords, record and post the old password to an internal site (without any identification of the user) for educational (and mockery) purposes.