Westpac Bank

A password requires:

6 characters, including at least 1 number and 1 letter

no more than 2 repeating or consecutive characters

no blanks, spaces, or special characters

We recommend your password does not include your birth date, name, or other obvious information

(an update from a previous post)

Westpac recently got rid of its 5-character max limit. Finally I thought, someone who knows about password security has been in their ear. But no. The new password limit is a whopping 6 characters long, all alphanumeric, no spaces. Failing hard, then failing hard again, that’s the way they do security at westpac.

editor's note: recommend? like, I wouldn't be able to use a $ but could use my DOB?

Lufthansa

❌ minimum of 8 character(s)

✅ minimum of 1 lowercase letter(s)

✅ minimum of 1 uppercase letter(s)

✅ minimum of 1 number(s)

✅ minimum of 1 special character (s) !”$%&()*+,-./:;#<>?_@\

✅ does not match the Username

ℹ︎ Not used before, not easy to guess

No idea what the maximum password length is. This one was as long as 1Password makes them, which is somehow… less than 8 characters?

smartview

(image shows a 64-character randomly generarted password with a strength indication of "very weak 0%")

The password must contain characters from at least 3 of the following 4 categories:

English uppercase characters (A - Z)

English lowercase characters (a - z)

Base 10 digits (0 - 9)

Non-alphanumeric (for example: !, $, #, or %)

The password cannot be the same as the username

The password must have a minimum of 8 characters

Online "collaboration portal" for real estate transactions. After attempting several 64-character passwords which exceeded some undocumented maximum password length, I tried a 35-character one, which was accepted. No clue what the actual max length is.

Smithsonian Earth TV

Password (min 8 characters):

Please enter a value between 8 and 15 characters long

Please enter a value between 8 and 15 characters long?!

Westpac Bank

👁 A password requires:

👁

6 characters, including at least 1 number and 1 letter

no more than 2 repeating or consecutive characters

no blanks, spaces, or special characters

👁 We recommend your password does not include your birth date, name, or other obvious information

Westpac Bank recently got rid of its 5-character max limit. Finally I thought, someone who knows about password security has been in their ear. But no. The new password limit is a whopping 6 characters long, all alphanumeric, no spaces. Failing hard, then failing hard again, that’s the way they do security at westpac.

editor's note: as genuinely terrible as these password constraints are, this is actually an improvement over a previous Westpac submission, the one with the on-screen keyboard.

TransitChek®

Must be at least 12 characters in length

Must include at least 1 number

Must include at least 1 special character

Must include at least 1 upper and 1 lower case letter

Must be different from the previous 10 passwords

I know you don’t want random hackers to get a hold of how much money you spend on subway fare, but this seems like overkill.

editor's note: idk I can support a desire for strong password culture everywhere. I'm just not convinced these rules are in any way useful or productive to that end.

EWealthManager

8-character minimum. A valid Password must begin and end with a letter, include at least one lower case letter, and two imbedded numbers. Must not contain the username. May contain up to 5 special characters.

editor's note: far be it for me to judge spelling errors generally. some people aren't great at spelling, some people have only heard and never seen a word spelled out, whatever, don't care. i would expect, however, that the password micro copy gets a quick spell-check before shipping. that's not how "embedded" is spelled. that's not even really what "embedded" means? also it is unclear how any of these rules, save the minimum, improve security.

Sun Life Financial

⬜️ 8 to 10 characters

⬜️ 1 number (minimum)

⬜️ 1 letter (minimum)

✔ No spaces

✔ No special characters

⬜️ Passwords match

No special characters?! Seriously?!

Google Store Financing - Synchrony

❗️ Please follow the rules below for new passwords. The following special characters are permitted: !#$*+.:;=?@^_|~,

Minimum of 7 characters, have upper case and lower case letters, and at least 2 numbers, special characters permitted, spaces are not permitted.

(the markup for the input includes onpaste="return false")

I was surprised to see these bizarre password requirements on a Google-branded page, and knew I had to submit it here.

The Google store financing services by synchrony bank not only restrict an inexplicable selection of special characters, but also prevent pasting in their registration form. You cannot even generate a password outside of the browser to paste in.

I guess the Google security team can only do so much when partnering with third parties!

ABSA Bank

Password rules:

The password is alphanumeric (Comprises both letters and numbers), for example: Coffee2

The new password should be 8 to 12 characters.

The Password must be case sensitive. For example: Coffee

No special characters or spacing is allowed */?-%$#@!.^()

Choose a Password that is easy to remember, but that nobody else is likely to guess.

Your own name or sequences will not be allowed, for example John1234

ABSA bank online banking registration form

editor’s note: “easy to remember” actually has real potential here. “secure” does not.

Moviepass

Passwords should be between 5 & 20 characters

editor’s note: looks like moviepass had even bigger problems while I was laying down on the job, oops.

Blue Shield of California

⚠️ Password must be 8-20 characters, no spaces and must contain at least 3 of these characters: 1 uppercase, 1 lowercase, numbers, or symbols.

Passwords are case sensitive, must not contain symbols and must be at least 8 characters.

Must contain 3 of: uppercase, lowercase, number, symbol. But must also not contain symbols!

editor's note: yet another update from two previous Blue Shield CA posts, this time calling out the conflicting symbol-related instructions.

Southern Illinois University, Edwardsville

The previous 6 passwords cannot be reused

A password must contain at least seven characters (letters or numbers) but no more than eight characters

A password must contain at least five unique characters

A password must contain at least one letter (A-Z or a-z) and at least one number (0-9)

A password must start with a letter or a number

A password cannot contain any of the characters & $ @ = + " / [ ] ⌷ \* , ? > - \' or a space

A password cannot be a person’s name, an e-ID or any word found in the dictionary

A password cannot be any of the following spelled backwards: a person’s name, an e-ID or any word found in the dictionary

A password cannot have a repeating pattern (e.g. ababab or abcdefg)

A password cannot have a pattern like ‘ccNNNNNc’ where ‘c’ represents any character and ‘N’ represents any number. (These are National Insurance numbers and are widely known on the web.)

These are the password requirements for a university with over 14,000 students. This is their SSO system used for everything - computer logins, email, online grading, etc. I think both their password policies, as well as the password change portal, need an update.

editor’s note: wow there is a lot to unpack here; i’m just gonna assume readers understand the basics of why this is all bad. okay so did anyone else catch that the disallowed characters are literally “escaped” in plain text there? what is going on SIUE? are you just like… literally begging for some script kiddie freshman who sees himself as the next great black hat to come along and “pwn” your users table? (do the kids still say “pwn”? or “script kiddie”?).

next, that backwards name thing. guess the password policy author thought they were being sooooooo clever. someone go check all their personal accounts for backwards names in the passwords.

finally, the national insurance thing. that numeric format is for national insurance numbers with the ~~NHS~~ DWP. in the UK. SIUE is in rural southern Illinois, in the US. i can only assume that means there’s many sites using this password requirements pattern, lort save us all.

edit, additional context: apparently, NI numbers are nine characters (ccNNNNNNc) and therefore wouldn't even fit into an 8-character password limit. Thanks for the tip, Andrew!

Belastingdienst

The password change screen for the Dutch tax service…. translated:

✓ Between 8 and 25 characters

✓ At least 3 characters different from the previous password

𐄂 No more than 3 the same characters

✓ At least one uppercase character

✓ At least 4 lowercase characters

✓ At least 1 digit or sign from the set listed

✓ No more then 3 special signs from the list

✓ Only allowed characters (letters, digits, listed special characters)

✓ Not allowed: any other ‘special’ characters

It wouldn’t accept most passwords generated by pwgen 25 … as they had too many repeating characters.

Microsoft Power BI

Microsoft Power BI account creation screen. Password must be between 8 and 16 characters.

This is a business analytics tool, practically trying to be responsible for some massive corporate espionage breach.

Your password can’t be longer than 16 characters.

Zenni Optical

Zenni offers a great service, but 14 characters just isn't enough to keep prescription information secure.

8-14 characters

include at least (1) letter AND (1) number

Passwords are Case Sensitive

Bonus fail: pre-selected opt-in for email newsletter.

American Eagle Outfitters

Just another ecommerce site that offers to save your credit card behind the security of a 15-character password. Thanks.

6-15 Characters