password-shaming
Password Requirements Shaming
274 posts
What do you mean your password field has a max length?! I'm sorry, you want me to NOT use any special characters? (apparently i mention how low the bar is pretty frequently.)
Don't wanna be here? Send us removal request.
password-shaming · 5 years ago
Photo
Tumblr media
Westpac Bank
A password requires:
6 characters, including at least 1 number and 1 letter
no more than 2 repeating or consecutive characters
no blanks, spaces, or special characters
We recommend your password does not include your birth date, name, or other obvious information
(an update from a previous post)
Westpac recently got rid of its 5-character max limit. Finally I thought, someone who knows about password security has been in their ear. But no. The new password limit is a whopping 6 characters long, all alphanumeric, no spaces. Failing hard, then failing hard again, that’s the way they do security at westpac.
editor's note: recommend? like, I wouldn't be able to use a $ but could use my DOB?
2 notes · View notes
password-shaming · 5 years ago
Photo
Tumblr media
Lufthansa
❌ minimum of 8 character(s)
✅ minimum of 1 lowercase letter(s)
✅ minimum of 1 uppercase letter(s)
✅ minimum of 1 number(s)
✅ minimum of 1 special character (s) !”$%&()*+,-./:;#<>?_@\
✅ does not match the Username
ℹ︎ Not used before, not easy to guess
No idea what the maximum password length is. This one was as long as 1Password makes them, which is somehow… less than 8 characters?
1 note · View note
password-shaming · 5 years ago
Photo
Tumblr media
smartview
(image shows a 64-character randomly generarted password with a strength indication of "very weak 0%")
The password must contain characters from at least 3 of the following 4 categories:
English uppercase characters (A - Z)
English lowercase characters (a - z)
Base 10 digits (0 - 9)
Non-alphanumeric (for example: !, $, #, or %)
The password cannot be the same as the username
The password must have a minimum of 8 characters
Online "collaboration portal" for real estate transactions. After attempting several 64-character passwords which exceeded some undocumented maximum password length, I tried a 35-character one, which was accepted. No clue what the actual max length is.
1 note · View note
password-shaming · 5 years ago
Photo
Tumblr media
Smithsonian Earth TV
Password (min 8 characters):
Please enter a value between 8 and 15 characters long
Please enter a value between 8 and 15 characters long?!
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
Westpac Bank
👁 A password requires:
👁
6 characters, including at least 1 number and 1 letter
no more than 2 repeating or consecutive characters
no blanks, spaces, or special characters
👁 We recommend your password does not include your birth date, name, or other obvious information
Westpac Bank recently got rid of its 5-character max limit. Finally I thought, someone who knows about password security has been in their ear. But no. The new password limit is a whopping 6 characters long, all alphanumeric, no spaces. Failing hard, then failing hard again, that’s the way they do security at westpac.
editor's note: as genuinely terrible as these password constraints are, this is actually an improvement over a previous Westpac submission, the one with the on-screen keyboard.
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
TransitChek®
Must be at least 12 characters in length
Must include at least 1 number
Must include at least 1 special character
Must include at least 1 upper and 1 lower case letter
Must be different from the previous 10 passwords
I know you don’t want random hackers to get a hold of how much money you spend on subway fare, but this seems like overkill.
editor's note: idk I can support a desire for strong password culture everywhere. I'm just not convinced these rules are in any way useful or productive to that end.
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
EWealthManager
8-character minimum. A valid Password must begin and end with a letter, include at least one lower case letter, and two imbedded numbers. Must not contain the username. May contain up to 5 special characters.
editor's note: far be it for me to judge spelling errors generally. some people aren't great at spelling, some people have only heard and never seen a word spelled out, whatever, don't care. i would expect, however, that the password micro copy gets a quick spell-check before shipping. that's not how "embedded" is spelled. that's not even really what "embedded" means? also it is unclear how any of these rules, save the minimum, improve security.
1 note · View note
password-shaming · 5 years ago
Photo
Tumblr media
Sun Life Financial
⬜️ 8 to 10 characters
⬜️ 1 number (minimum)
⬜️ 1 letter (minimum)
✔ No spaces
✔ No special characters
⬜️ Passwords match
No special characters?! Seriously?!
4 notes · View notes
password-shaming · 5 years ago
Photo
Tumblr media
Google Store Financing - Synchrony
❗️ Please follow the rules below for new passwords. The following special characters are permitted: !#$*+.:;=?@^_|~,
Minimum of 7 characters, have upper case and lower case letters, and at least 2 numbers, special characters permitted, spaces are not permitted.
(the markup for the input includes onpaste="return false")
I was surprised to see these bizarre password requirements on a Google-branded page, and knew I had to submit it here.
The Google store financing services by synchrony bank not only restrict an inexplicable selection of special characters, but also prevent pasting in their registration form. You cannot even generate a password outside of the browser to paste in.
I guess the Google security team can only do so much when partnering with third parties!
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
ABSA Bank
Password rules:
The password is alphanumeric (Comprises both letters and numbers), for example: Coffee2
The new password should be 8 to 12 characters.
The Password must be case sensitive. For example: Coffee
No special characters or spacing is allowed */?-%$#@!.^()
Choose a Password that is easy to remember, but that nobody else is likely to guess.
Your own name or sequences will not be allowed, for example John1234
ABSA bank online banking registration form
editor’s note: “easy to remember” actually has real potential here. “secure” does not.
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
Moviepass
Passwords should be between 5 & 20 characters
editor’s note: looks like moviepass had even bigger problems while I was laying down on the job, oops.
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
Blue Shield of California
⚠️ Password must be 8-20 characters, no spaces and must contain at least 3 of these characters: 1 uppercase, 1 lowercase, numbers, or symbols.
Passwords are case sensitive, must not contain symbols and must be at least 8 characters.
Must contain 3 of: uppercase, lowercase, number, symbol. But must also not contain symbols!
editor's note: yet another update from two previous Blue Shield CA posts, this time calling out the conflicting symbol-related instructions.
0 notes
password-shaming · 5 years ago
Photo
Tumblr media
Southern Illinois University, Edwardsville
The previous 6 passwords cannot be reused
A password must contain at least seven characters (letters or numbers) but no more than eight characters
A password must contain at least five unique characters
A password must contain at least one letter (A-Z or a-z) and at least one number (0-9)
A password must start with a letter or a number
A password cannot contain any of the characters & $ @ = + " / [ ] ⌷ \* , ? > - \' or a space
A password cannot be a person’s name, an e-ID or any word found in the dictionary
A password cannot be any of the following spelled backwards: a person’s name, an e-ID or any word found in the dictionary
A password cannot have a repeating pattern (e.g. ababab or abcdefg)
A password cannot have a pattern like ‘ccNNNNNc’ where ‘c’ represents any character and ‘N’ represents any number. (These are National Insurance numbers and are widely known on the web.)
These are the password requirements for a university with over 14,000 students. This is their SSO system used for everything - computer logins, email, online grading, etc. I think both their password policies, as well as the password change portal, need an update.
editor’s note: wow there is a lot to unpack here; i’m just gonna assume readers understand the basics of why this is all bad. okay so did anyone else catch that the disallowed characters are literally “escaped” in plain text there? what is going on SIUE? are you just like… literally begging for some script kiddie freshman who sees himself as the next great black hat to come along and “pwn” your users table? (do the kids still say “pwn”? or “script kiddie”?).
next, that backwards name thing. guess the password policy author thought they were being sooooooo clever. someone go check all their personal accounts for backwards names in the passwords.
finally, the national insurance thing. that numeric format is for national insurance numbers with the ~~NHS~~ DWP. in the UK. SIUE is in rural southern Illinois, in the US. i can only assume that means there’s many sites using this password requirements pattern, lort save us all.
edit, additional context: apparently, NI numbers are nine characters (ccNNNNNNc) and therefore wouldn't even fit into an 8-character password limit. Thanks for the tip, Andrew!
2 notes · View notes
password-shaming · 5 years ago
Photo
Tumblr media
Belastingdienst
The password change screen for the Dutch tax service…. translated:
✓ Between 8 and 25 characters
✓ At least 3 characters different from the previous password
𐄂 No more than 3 the same characters
✓ At least one uppercase character
✓ At least 4 lowercase characters
✓ At least 1 digit or sign from the set listed
✓ No more then 3 special signs from the list
✓ Only allowed characters (letters, digits, listed special characters)
✓ Not allowed: any other ‘special’ characters
It wouldn’t accept most passwords generated by pwgen 25 … as they had too many repeating characters.
0 notes
password-shaming · 7 years ago
Photo
Tumblr media
Microsoft Power BI
Microsoft Power BI account creation screen. Password must be between 8 and 16 characters.
This is a business analytics tool, practically trying to be responsible for some massive corporate espionage breach.
Your password can’t be longer than 16 characters.
7 notes · View notes
password-shaming · 7 years ago
Photo
Tumblr media
Zenni Optical
Zenni offers a great service, but 14 characters just isn't enough to keep prescription information secure.
8-14 characters
include at least (1) letter AND (1) number
Passwords are Case Sensitive
Bonus fail: pre-selected opt-in for email newsletter.
5 notes · View notes
password-shaming · 7 years ago
Photo
Tumblr media
American Eagle Outfitters
Just another ecommerce site that offers to save your credit card behind the security of a 15-character password. Thanks.
6-15 Characters
0 notes