It shouldn't be personal identifiable information. But PII asks what that information is, not what it should be. Given that people reuse passwords or put things like DOB in their passwords, a conservative classification should treat passwords as PII.
If a company is cracking passwords, it should stop that to protect IT from liability. Example: someone reuses a password, and an IT employee sees that during a cracking operation, and that person's account by chance is hacked, now that person can accuse IT of misusing the password.
Maybe those disclaimers will protect them, but it's always smarter to avoid liability entirely than rely on fine print that a court can disregard.
If a company is cracking passwords, it should stop that to protect IT from liability. Example: someone reuses a password, and an IT employee sees that during a cracking operation, and that person's account by chance is hacked, now that person can accuse IT of misusing the password.
Maybe those disclaimers will protect them, but it's always smarter to avoid liability entirely than rely on fine print that a court can disregard.