Skip to content

kazooless/dumb-password-rules

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

Dumb Password Rules

Shaming sites with dumb password rules.

Contributing

Feel free to submit a pull request with dumb rules you've encountered.

See other sites for the formatting and follow these rules:

  • Include the name of the site with a link.
  • Add a clean comment about the dumb password rule (optional).
  • Include at least one screenshot.
  • Keep the sites in alphabetical order.

Sites

Sometimes I forget that caps-lock is on, glad it doesn't matter.

American Express

Their site says "All information is kept safe and secure." Just not as secure as you'd like.

User Password must be between 6 and 14 characters and contain 1 numerical value.

AmeriHealth

Between 8 and 16, so I can't go up to 20. Oh, and thanks for restricting one of the most common special characters!

AOL

Your password contains characters not listed. Therefore, they do not match.

Arlo

8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.

Banco Mercantil

You can enter whatever password you like! But you probably don't want to make it too long, because you'll break us and you'll never be able to login again.

Best Buy Best Buy

The auto-generated strong password is not a valid password ! Blacknight use Odin for it's admin panel.

Blacknight Blacknight

They force you to enter a password that has 8, 9, or 10 characters, then they lecture you on how to create a strong password.

Blackrock

16 maximum and no special characters. Protecting your US healthcare information.

Blue Cross Blue Shield Massachusetts

Password must be exactly 6 characters long and no special character.

BMO Bank of Montreal

They also prohibit pasting into the password field by using a JavaScript alert() whenever you right-click or press the Ctrl button, so you can't use a password manager.

California DMV

We don't even want you to login online.

Chase Bank

Your password should be difficult to guess as long as it's not over 16 characters long.

Comcast

Min 6 and max 8 characters for password! Can't contain anything different than letters and numbers. Apart, the email address must have at least 8 characters (sorry million dollar domain owners! :D)

El Corte Ingles

Exactly 8 characters for password! There must be at least 1 lowercase letter, at least 1 uppercase letter, at least 1 number and at least 1 special char ( * , . $ # @ etc...).

e-learning (Unipd)

No more than 20 characters and leave out characters commonly used by programmers. We don't want you to hack the mainframe.

Fidelity

"Our duties are wide-ranging, and our goal is clear - keeping America safe."

Global Entry

Some characters are too special.

GoDaddy

We store basically all of your data, but we can't store your password.

Her Majestys Revenue & Customs

Intel

Izly by Crous is an imposed French payment service for the university. You can't pay your daily meal without that because yeah you know cash is an ancient dumb thing.

Your username is [email protected] or your phone number. We only allow you a fixed 6 numbers password. Oh yeah we also block your account after three failed atempts. How convenient when the only thing you need to know is the name of someone and where they study. How convenient indeed.

Oh and also look we got pages NOT TRANSLATED IN FRENCH because duh.

Izly by Crous

Passwords must be between 8 and 20 characters, and some special characters are allowed. Users with randomly-generated passwords may find it particularly annoying to generate a password that works for their password safe.

Merrill Lynch

What doesn't seem to be a problem for personal accounts, is for work accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exotic" symbols, like ¤ or €. Or the letters Æ, Ø or Å from the Danish alphabet. They all are supposedly "spaces".

Microsoft (work accounts)

You "may use special characters", but only some of them - and we won't necessarily tell you which ones.

Mindware Mindware

It only accepts lowercase letters, uppercase letters and numbers (any other character counts as forbidden character).
Also, if your password contains any invalid character, it will get marked as "Identical to the former 10 passwords".

To make it more fun, during the registration, it allows to set a 24 characters password to login to their website.
Once you try to login with the password, it will say that the maximum length accepted is 16 characters.
What actually happens, is that they let you insert 24 characters during registration, but only the first 16 will get actually used as password.

MKB NetBankár

Min 7 and max 8 characters for password! Also to be different than the username: the user name is automatically generated and is based on the surname of the user with some characters replaced by digits :)

Has been that way for more than 10 years.

Movistar

We'll tell you not to use your name as your password, but we won't tell you how we restrict your password choice otherwise.

PayPal

Passwords between 8 and 9 characters are the best.

SAP Cloud Appliance Library

Passwords limited to 8-12 characters.

Safeway

/\d{6}/

Singapore Airlines

„Sparkasse“ is a group of banks which is pretty popular in Germany. It calls its passwords „PIN“ („persönliche Identifikations-Nummer“ — personal identification number), the rules are pretty horrific and its not even a number, even though it is called as such! Here is a screenshot from the branch where I am from (Jena, Germany), but since they have a central IT, I think it will be identical in other branches:

Sparkasse Jena

The rules are as such:

  • Only 5 characters
  • Small letters (a-z)
  • Large letters (A-Z)
  • Numbers (0-9)
  • „Special“ characters: ä,ö,ü,Ä,Ö,Ü and ß (Not suprising for a german Company)

After the rules there some hints on how the password should not look like:

  • Combinations of your initials and the birthyear
  • Your phone number or parts thereof
  • Your zipcode
  • Commom combinations like 123ab or 55555
  • Full or parts of your login credentials

Sprint "upgraded" their security and disallow special characters.

Sprint

Financial services - where we don't allow you to create the strongest password possible.

Synchrony Financial

Only tells you the rules after submitting and clicking a link to a pop up window.

Ubisoft

Pick from an arbitrary list of symbols, and no repeating characters.

United States Postal Service

Because of the last two rules, which ban dictionary words and any variants using symbol substitutions, neither of the passwords presented in the xkcd comic are allowed.

University of Texas as Austin

Your password needs to be between 8 and 10 characters long, with no spaces, and must contain only numbers and letters. The first character must be a letter.

Virgin Media

You can only use PIN as your password.

Virgin Mobile

Your password needs to be between 8 and 10 characters long. Previously this would silently truncate the password without warning, causing confusion when the password wouldn't work.

Virgin Trains

Your password length is limited between 6 and 12 characters.

Walmart

Your password must be between 6 and 14 characters.

Wells Fargo

25 maximum characters and disallowing some specials.

Williams-Sonoma

Your password on an Identity Theft Protection service is limited to between 8 and 20 characters. Your username is allowed to be longer than your password.

Wells Fargo Identity Theft Protection

About

Shaming sites with dumb password rules.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published