I would add as a bad practice vendors that mandate using the server name as a password (?).