In the early days of the web, more than 20 years ago, I recall a self-identified "security researcher" who put up a poll about how secure people's passwords were.
How many characters in your password?
Does it use upper-case, lower-case, or mixed?
Any non-alphanumeric characters in it?
In other words, *exactly* the questions an attacker would ask to narrow down a password search.
While it's not too surprising that there were some idiots who provided answers, what I found (and find) surprising is that the so-called "security researcher" didn't recognize the impropriety of such questions.