That's not about security, your friend is just fucking dumb since he publicize his own password.
Do you think it's clever to write your Bitcointalk username and password, then throw it away to everywhere you want?
This is why before try something, one should understand and learn what he do to prevent about this case may happen due to carelesss.
Careless
Dumb
Lucky
but it starts with his carelessness first.
How do you safely keep your recovery phrase written on paper?That careless person was lucky because his Mom found this, not a bad person not a stranger.
Yesterday, my mom did a general cleaning on my room and when she's done, I saw the recovery phrase of my Trezor hardware wallet on the garbage can which I placed on my computer table