I would forward the email to my manager and let management respond appropriately. I would not respond to the email unless my management gave the okay. It is important you stay out of these potential conflicts. Managers react to their peers or higher much differently than to others. By the way, I have worked in many industries including banking. The security is more stringent,e.g. password must contain at least one number, consecutive letters and numbers are not permitted, your name cannot be used, last ten passwords cannot be used, and crypted user ids (no ‘bsmith’ or ‘morgant’ but ‘atazv4k’). You can program these rules into the security schemes according your company’s policy so the system validates the entries. At one job, I had to block using specific country or city names because I discovered our Japanese management used their location city-country names for passwords. There was repetitive examples when ‘tokyojapan’ and ‘losangeles’ were the passwords.