A1 Mobile Serbia
A1 mobile Serbia is a mobile provider in Serbia that imposes poor password rules. Translation: "Length of the password must be between 8 and 20 characters and can only have letters and digits."
A1.net
- At least 8 and at most 16 characters - At least 1 digit - At least 1 uppercase letter The password must not contain your first name, surname or username. The allowed special characters are: ! @ # % ^ & * _.
ADP
Forced to change the password during the first login. At least they could use proper grammar in their rule list.
ANZ Bank
Your password needs to be between 8 and 16 characters long - no special characters allowed.
AOK (German Health Insurance)
This is the online customer portal of the German health insurance company AOK. They have an extensive set of rules for both passwords and usernames. The password rules are: - Length between 8 and 14 characters - At least one letter, one number and one special character - Special characters are: !@$%/=?`+@#_.;:{}| - The password must not start with ? or ! - The password must not include the username - The password must not be the same as any of your previous passwords The rules for the username are: - Length between 1 and 12 characters - No umlauts allowed (äöü), no special characters, no spaces, no ., no _, no ß
AOL
Between 8 and 16, so I can't go up to 20.
APEC
- Between 12 and 30 characters - At least one uppercase letter, one lowercase and one digit - At least one special character BUT NOT the "euro" € character.
ASN Bank
Your password needs to be between 8 and 20 characters long - at least 1 number, 1 lower case letter, 1 upper case letter, 1 special character.
AT&T
The only special characters allowed are underscores and hyphens.
Admiral
Restrict the inclusion of a % character.
Advanzia
- Requires at least 6 to a maximum of 12 characters [sic!] - Allows only digits and letters without umlauts - Allows only specific special characters: ? ! $ \u20AC% & * _ = - +. ,:; / () {} [] ~ @ # - Allows no spaces"
Aetna Health Insurance
- Password cannot be longer than 20 characters - Password cannot have spaces and more 2 characters repeated in a row - Password cannot have user's first name, last name or username
Air France
- Between 8 to 12 characters - Should contain capital, lowercase letters and numbers
Air Miles
- Exactly 4 numbers.
AirAsia
- Between 8 and 16 characters - Must contain a number, a lowercase letter, and an uppercase letter - Special characters allowed, but not periods, commas, tildes, or angle brackets
Alibaba
- At least 2 uppercase letters - Plus 2 lowercase letters - Plus 2 numbers - Plus 2 punctuation marks Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU), then password rules can be equally intelligent too. Also, this gibberish if you intentionally left the "confirm password" field empty and that's even after a `en_US` redirection. - 请输入新的登录密码.
Ameli.fr (French national health insurance)
This was very painful to find a password that works with this one and that I can actually remember (I ended-up using my bank-account number because everything else failed). It took me maybe one hour and I thought I would become crazy (and yes, the session expires frequently while you are actually thinking about a password). - The password must be more than 8 characters - But you cannot use more than 13 characters - You can only use digits - You cannot use your birthdate or your login - You cannot use a sequence of digits (if your password happens to contain 56 or 89 it will be rejected) - You cannot repeat the same character (if your password contains 22 or 55 it will be rejected)
AmeriHealth
Their site says "*All information is kept safe and secure.*" Just not as secure as you'd like. User Password must be between 6 and 14 characters and contain 1 numerical value.
American Airlines
- Between 6 and 16 characters
American Express
Sometimes I forget that caps-lock is on, glad it doesn't matter.
AmiAmi
Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.
Ancestry
Password: - Must be at least 8 characters long - Must contain at least 1 number - Must contain at least 1 letter or special character - Must not be a well known or common password
Anthem.com
* Use 8-20 characters. * Use 1 letter and 1 number. * $ ! @ * ? | also allowed. * Don't use spaces. * Don't use the same character three times in a row. * Don't use part of the username.
Apple
Can't contain 3 or more consecutive identical characters, nor can it be more than 32 characters long.
Arbeitnehmeronline
Service for managing employment documents of the German company Datev. Only the following character categories are allowed: Letters, numbers and this special characters set: !#$%&()*+,-./:;<=>?@[\]^_`{|}~äöüßÄÖÜ
Arlo
Your password contains characters not listed. Therefore, they do not match.
Aruba Cloud
Must be different from the last 3 passwords used. Your password must contain at least an uppercase and lowercase letter and number. Must contain at least one special symbol.
BBVA
Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only. For a bank account with all your money in one of the largest financial institutions in the world.
BCV
Username is randomly generated, example: 'H2487414'. The password must have **6** digits only. Password can only be changed from the mobile application:
BDO
Please nominate a password which contains UPPERCASE, lowercase, numbers and symbols. Password should not be the same as the user ID. Avoid using consecutive characters such (ex. abc, DEF, 678) and invalid characters such as [!#$%^&';"].
BMO Bank of Montreal
Password requires at least one special character but disallows backtick ```, backslash `\`, vertical bar `|`, and underscore `_`.
BMW ConnectedDrive
Although the prompt suggests good things, after many failed attempts to set a new password, it turns out you can ONLY use the special characters shown in the prompt
BOINC Bakerlab
Passwords may only include ASCII characters, not even extended ASCII.
Banca Intesa Serbia
Online banking portal of Banca Intesa Serbia has some password restrictions. This is the translation of the requirements: No special characters, minimum number of characters is 8, maximum number of characters is 22, minimum number of upper case letters is 1, lower case also 1, numeric characters is 2, first character must be a upper or lower case letter and maximum number of character repeats is 2.
Banco Mercantil
8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.
Banco Nacional (Costa Rica National Bank)
Between 8 and 16 characters. Must have 4 numbers and 4 letters. Must not contain same letter or number in consecutive order. Can't contain vowel letters neither the letter Ñ. Password can't be the same as the previous 6 used.
Bank Leumi (Israel)
- Password consists of 6 to 12 characters - Password contains only english letters and numbers without spaces.
Bank Millennium
Passwords limited to 8 digits.
Bank of America
20 character max and lots of special character restrictions. Bank of America - keeping your money safe. Also: If you paste a password greater than 20 characters, the form truncates it without telling you or giving an error.
Banque de Tahiti
You have to enter your password using this *very* Frenchy keypad. You don't have lowercase letters, the blanks are not spaces but just non-clickable gaps, but as a compensation you have some weird symbols that your keyboard does not have a key for (e.g. `µ`). No accessible version available.
Battle.net
8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive. A real time travel adventure through the password rules of 2005!
Bendigo Bank
**Exactly** eight characters.
Benergy4
12 to 25 characters, only these special chars allowed: @+/'!#$^?:,.(){}[]~-. Also, security questions.
Best Buy
You can enter whatever password you like! But you probably don't want to make it too long, because you'll break us and you'll never be able to login again.
BinckBank
Between 10 and 16 letters and/or digits. No special characters are allowed. Must be renewed at least every 180 days, but you can configure to let the password expire sooner. When changing the password, the new password cannot be too similar to the existing password.
Blackrock
They force you to enter a password that has 8, 9, or 10 characters, then they lecture you on how to create a strong password.
Bloomingdale's
16 characters maximum, no `.` `,` `-` `|` `/` `=` or `_` allowed.
Blue Cross Blue Shield Massachusetts
16 maximum and no special characters. Protecting your US healthcare information.
Boligøen (Danish resident renting bureau)
Red text: "Your password has to be at least 6 characters, but NOT over 20 characters."
Boursorama
"To ensure the highest level of security, your password must have... 8 digits". And it must be entered using a funny keypad with the digits in the wrong order.
Bouygues Telecom
- Password cannot be more than 20 characters long - Password can't contain special chars other than ASCII ones (for a French website this sucks as é, à, ç and so on are rejected...)
CAF (French Family Allowance Fund)
You have to enter your 8-digit password using this Frenchy keypad.
CENLAR
Your password can meet all the requirements in the list and still be invalid due to an unspecified rule: any "special characters" that are not listed in the help text are not allowed. Worse, it provides no useful feedback other than the "New Password" field is red.
CGHS
Can't use any special characters except @ $ # ? _ * &
CVent
Password Rules - 8 to 20 characters with at least 1 number and 1 letter. - No symbols or spaces.
CWT Business Travel Management Company
Password: - 8 to 32 characters long - Must contain a combination of letters, numbers and symbols - Must be different from your username - Must be different from 5 previous passwords
California Department of Motor Vehicles
They also prohibit pasting into the password field by using a JavaScript `alert()` whenever you right-click or press the `Ctrl` button, so you can't use a password manager.
Canada Revenue Agency
Password checklist: - 8 to 16 characters - At least 1 upper-case character - At least 1 lower-case character - At least 1 digit - No space - No accented characters - No special characters except: dot (.), dash (-), underscore (_), and apostrophe (') - No more than 4 consecutive identical characters
Canadian Imperial Bank of Commerce
Letters and numbers only, no symbols. Also an undocumented maximum of 12 characters!
Capital One
- May only use the following characters: Aa-Zz 0-9 - _ . / \\ @ $ * & ! # - No spaces
CenturyLink
So many bad ideas: a low maximum length, requiring six specific character types while not accepting common symbols, plus a weird restriction that makes random generation harder.
CenturyLink Residential
Your password is too long. But how long can it be? Oh, we won't tell you.
Charles Sturt University
Prevents spaces and a set list of characters, limits to 30 characters and can only change your password twice per day.
Chase Bank
* Can't use any special characters except ! # $ % + / = @ ~ * Max length restriction (32 characters). * No runs of identical characters ("aaa") or sequential characters ("abc"). * Password check is case-insensitive
Chegg
Here are the (only fairly poor) rules for a new password. Enter 64 character password that matches all the rules (notice no rules on maximum length). That password you entered looks good! But we didn't change it. And your old password doesn't work. Or the new one. ¯\\\_(ツ)\_/¯
Cigna
A max of 12 characters... Can't handle most symbols (only 5 supported). At least they have two factor auth via email or sms **sigh**
Citi
* Password is case-insensitive * Can't use ANY special characters (although, adding special characters increases the "password strength" meter?!) * Allows for a minimum password length of 6 characters * No runs of more than two identical characters (eg. "aaa" is not allowed.) * Does not allow you to paste passwords.
CloverSecurity
* Password restricts quantity of characters "of same case", making [correcthorsebatterystaple](https://xkcd.com/936/)-style passwords problematic * No feedback for which rules are broken * Unlisted prohibited characters
CodePen
The password should be of at least 8 characters and must include a number, special character, an upper as well as a lowercase letter
Coil
Does not allow simple characters and sequences such as '4587' or 'efgh' in password & necessarily requires numeric values.
College Board
Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.
Combank Digital
Only a staggering 8-12 characters allowed with prescribed selection of special characters.
Comcast
Your password should be difficult to guess as long as it's not over 16 characters long.
Commsec
Another financial institution with short password requirements. They also block pasting in to the field, making it a pain to use a password manager.
Copart
Copart: "The security of our members is extremely important to us." Also Copart: "We're gonna need you to keep your password between 5-10 characters."
Coppell, TX - Water Utility
Local Utility with a password restriction of 30 characters. Better than some for sure, but still dumb.
Copyright.gov
I wonder if they cooperate with NSA to enforce the password rules.
Costco.com
Due to Costco's short max password length of 16 characters, I strongly recommend using a password manager to make a random password to satisfy all of these conditions below: * Use between 8 and 16 characters * Include at least one lowercase (a-z) and one uppercase letter (A-Z) * Include at least one special character (e.g. !@#$&) - i.e., any symbol above the 0-9 keys) * Does not contain blank spaces or the following special characters: < > , * Include at least one digit (0-9) For the record, at least Costco.com has greatly improved after the summer of 2021 - before that, the site used to prohibit copying and pasting passwords, which prevented password managers from working properly. I believe the max password length was also longer before the summer of 2021 (either 20 or 32 characters), but I cannot confirm this since I never took a screenshot.
Coventry Building Society
Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.
Craigslist
No minimum character limit meaning you can go as low as 5 characters for a password
Credit Agricole
* Login is a predefined 11 digits long identifier that you can not change * Password is a 6 digits long identifier that you need to input using your mouse
Credit Union Australia (CUA) Health
Password must be between 7 and 10 characters, contain both an uppercase and a lowercase letter and have at least one number.
Crédit Agricole Centre-Est
You have to enter your 6-digit password using this Frenchy keypad.
Crédit Mutuel de Bretagne
Password must be 10-16 characters with at least one letter, one number and no special character.
DBS Bank (Singapore)
`[[:digit:]]{6,8}`
DJI
The symbol `\` is banned without a notice, it'll probably escape whatever you'll put in, just why...
Datart.cz
Czech eshop Password: - Max length is 20 characters - No special characters allowed (only alphanumeric)
Daybreak Games
Max password length is 15 characters The only special characters that can be used are !"#$%
Dell
Okay at least 6, that's alright I guess. Oh at least one number and one letter, bit dumb but hey not that dumb. But hiding the fact that it has a max of 20, now THAT is dumb!
Deloitte GlobalAdvantage
Rules that are completely arbitrary that basically make all safe passwords wrong, instead forcing pseudo-safe password combinations.
Delta
It's a good thing they don't store personal information such as your passport number... oh wait.
Deutsche Kreditbank AG (DKB)
Passwords for the online banking web frontend do not have a max length constraint, but using the same password to log in to the official iOS DKB app requires the password to be no longer than 38 characters.
Digital Credit Union (DCU)
Must be between 8 and 40 characters, uppercase and lowercase, one number, one special character... whatever. But special characters are limited to -#$%+?~*!. (and space). WHY?!
Discovery Benefits
Requires at least one symbol, but must be one of `! @ # $ % & * ?`, and also has an unstated max length of 20 characters.
Dnevnik.ru
Silently (sic!) trim password to 30 symbols. That causes the stupid case when you could successfully registrate an account with password length of 52 and can't login with the password.
Domainname.shop
domainname.shop operates under several domains, domene.shop (Norway), domän.shop (Sweeden), domæne.shop (Denmark). The following characters are allowed: A-Z, a-z, 0-9 and + - * / ! ? . , : ; = # @ $ % & ( ) < >, password length 10-79 chars
Dutch Tax Authorities (Belastingdienst)
At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password. No more than 3 of the same characters. At least 1 upper case and 4 lower case characters. No more than 3 special characters. It's not like hashing passwords is a thing or something.
Dwr Cymru (Welsh Water)
Limits password length to a maximum of 16 characters
E-Redes
Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.
E-Trade
Causes: * Your two-factor authentication code must be appended to the end of the password * Passwords have a limit of 32 characters Effect: If your account has a 32-character password and has two-factor authentication, their system appears to cut off the token, making it impossible to login. You must reduce your password to 26 characters in order to login with a token.
E-learning (Unipd)
Exactly 8 characters for password! There must be at least 1 lowercase letter, at least 1 uppercase letter, at least 1 number and at least 1 *special* char ( \* , . $ # @ etc...).
EON
By the time I'd finished reading the rules I've forgotten all of them.
Easybank (Austrian direct bank)
- At least 8 and at most 16 (!) characters - **Must start with 5 digits (do we really want to know what's going on there?)** - At least one uppercase and one lowercase letter - (Some) special characters are permitted, most are not - "Simple" patterns are prohibited - PINs are case sensitive (at least it's something)
Easyjet
No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.
El Corte Ingles
Min 6 and max 8 characters for password! Can't contain anything different than letters and numbers. Apart, the email address must have at least 8 characters (sorry million dollar domain owners! :D)
Electronic Arts (EA)
Your password must be 8 - 16 characters, and include at least one lowercase letter, one uppercase letter, and a number.
EllieMae Access
Must reset password every 6 months and password requirements are not displayed _anywhere_. Reset uses a Security Question, and you have to choose from a list of 5.
Entwickler.de
Your password must be 12-20 characters.
Equifax - The Work Number
Eight to sixteen characters, numeric digits only, not the same as the User ID. * Number of permutations: 1E+16 * Number of permutations for the weakest length: 1E+8 * vs permutations for a 8-16 password using standard characters: 4E+31 * vs permutations for the weakest length of 8 using standard characters: 7E+15 * Other issues: allows and encourages the use of sequences like "12345678", SSN, DOB, today's date * At stake: last 4 digits of SSN, current and past addresses, and detailed work history of millions of Americans, down to how much their paycheck was in the third week of September 2007 * Past security screw-ups by this company: [https://en.wikipedia.org/wiki/Equifax#Security_Failings](https://en.wikipedia.org/wiki/Equifax#Security_Failings)
Eurocircuits
Minimum 4 and maximum 30 chars. Use only letters (a-z), numbers (0-9) and underscore (_)
Express Energy
Retail Electricity Provider (REP) participating in ERCOT. Minimum 6, maximum 10. Stated requirement of numbers and letters, but special characters are accepted.
FACE IT Ltd. (Faceit)
Your password must be 6 - 20 characters. No special characters or numbers required.
Fidelity
No more than 20 characters and leave out characters commonly used by programmers. We don't want you to hack the mainframe.
Fidelity National Information Services
White label online banking provider. Typically appears as `BANK.ibanking-services.com` or `BANK.ebanking-services.com`. If your small local bank has a crappy online banking experience, these guys probably provide it. `\<>'` and spaces prohibited, upper bound. Passwords of exactly the maximum length are truncated by one character. Unlisted prohibited characters.
Freepik
Has to be between 6 and *30* characters, needs to have a number, letter, capital letter, symbol BUT no whitespaces.
Fundatec
Must be exactly 6 alphanumeric characters, does not show special characters are not allowed, username is your social security number (easily searchable) and the form is sent over plain HTTP. Did I mention this company applies college entrance exams for **Computer Science** nationwide in Brazil?
GameFly
Password is 6-12 characters with no other restrictions. You can easily do 6 numbers, 6 lowercase letters, etc.
Gebührenfrei MasterCard
The new password can only have 6-12 characters. It *may* contain letters, numbers and a fixed set of special characters.
Getin Bank
The new password should contain at least 10 and a maximum of 20 characters. The password must contain at least one upper case letter, one lower case letter and one number. The password cannot contain non-ASCII Polish alphabet characters, special characters `&<'"` or spaces.
Global Entry
"Our duties are wide-ranging, and our goal is clear - keeping America safe."
GoDaddy
Some characters are **too** special.
GoDaddy SFTP
Max 14 characters for the most important password in your shared hosting environment.
GoFundMe
- At least one uppercase and one lowercase letter - At least one number and one special symbol - Does not specify which characters are considered special symbols; did not recognize spaces as special symbols
Green Flag
- 8 to 10 characters - No special characters
HDFC Bank
Only a maximum of 15 characters and some special characters are not allowed.
HM Revenue & Customs (UK Tax)
We store basically all of your data, but we can't store your password.
HSA Bank
- Must be minimum 12 characters - Must not be one of user's past 5 passwords - Must contain uppercase and lowercase letters - Must contain a number - Must not be the same as user's account number or login/username But also... - Cannot be longer than 20 characters
Hetzner
- 8 or more characters - At least one uppercase and one lowercase letter - At least one number or special character Okay, fair enough, but after putting in a password with some special characters this message appears: - Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ? + # - . , ; : ~ * @ [ ] { } _ ° § You can't use ``&<>'"\|´```, spaces and any other non-ascii character.
IBM
12-63 characters One uppercase character One lowercase character One number Sufficiently Strong Special characters are optional. Double byte characters are not allowed
IBM TSO/E Logon terminal
It might not be a web site, but that does not make it less dumb. Since many don't know about IBM mainframes, it seems they don't think you need to up the policies. Default old password policy is: 6-8 characters long, A-Z, 0-9 Over the last few years they have updated their policies a bit, but due to many of their subsystems are incompatible, they can't enforce the new options for safer passwords.
ICAgile
Observed on November 17, 2020: Password must contain: - 8-15 total characters - At least one lowercase letter - At least one uppercase letter - At least one number - At least one special character (e.g., !#$%^*) They don't seem to have a public registration form. You receive a registration link after completing a course with one of their accredited providers.
IHG
4, yes 4, digits only.
IKEA
Dumb restriction for consecutive similar characters. Wonder if someone got more that 2 identical characters in their name then it won't allow you to even use name in password. Password must contain: - 8-20 characters - **No more than 2 identical characters in a row** - A lowercase letter (a-z) - An uppercase letter (A-Z) - Number or special character
ING Australia
4 numeric digits. "Added security" by randomising the positions on the keypad. Must be clicked.
ING Romania's Internet Banking Portal
No more, no less than 5 digits. This is the password you use to log in and to confirm online transactions. They used to have "normal" passwords and they forced everybody to change to the 5 digits versions. They said they've made it "so it's easier for you" and it's OK, because everybody has 2FA.
ING a dutch bank in almost 50 countries
Max 20 characters, must have one number, one upper case character and one lower case character. You can only use certain special characters. When i asked about it they answer that it's really hard to change it. When i asked if the password is saved as a hash or just plain they send the answer to the technical department this was march 2018.
INSS (Instituto Nacional do Seguro Social)
The National Social Security Institute (INSS) is an autarchy of the Government of Brazil linked to the Ministry of Economy that receives the contributions for the maintenance of the General Social Security System, responsible for the payment of pensions, maternity pay, death pay, sickness pay, accident pay, seclusion pay and other benefits for those who acquire the right to these benefits as provided by law. The INSS works with Dataprev, a technology company that processes all Social Security data. But: - Special characters is not required - Exact 9 digits - At least 1 lowercase, 1 uppercase letter and a 1 number
IRS
Password rules: - Between 8 and 32 characters long - Must contain at least one numeric and one special character (!@#$%&*) - At least one uppercase and at least one lowercase letter
Inpost
Allows between 8 to 16 characters. Password is being used to log in and view packages sent to you, or for shipping packages.
Inria
This is the account for those who work at [Inria](https://www.inria.fr/) "the French national research institute for the digital sciences". You have to wonder what's wrong with these special characters but not the other ones. - Password expiration once a year - Your password must contain at least 8 characters. - Your password can't be a commonly used password. - Your password can't be entirely numeric. - Your password cannot contain non ascii chars - Your password cannot contain ^ " ' space ; \ / - Your password must contain at least 2 punctuation - Your password must contain at least 1 uppercase - Your password must contain at least 1 lowercase - Your password cannot contain your login (or substring of login) - Your password cannot contain your last name (or substring of last name) - Your password cannot contain your first name (or substring of first name)
Intel
Intelink Passport
Intelink is a group of "secure" intranets used by the United States Intelligence Community. Passport is an identity and access management service for Intelink. Rule #3 prohibits three or more consecutive uppercase, lowercase, or digit characters, even if those characters are not the same. For example, a password with "ABC" or "829" anywhere in it would not be allowed.
Interactive Brokers
Usual dumb password restrictions, but this one has incredibly dumb **username** restrictions too: **Username:** - **Length of 8 or 9 letters and numbers** - **Contain at least 3 letters and 3 numbers** - Begin with a letter - Lower case only, no spaces, no special characters **Password:** - Cannot match username - Length of 8 to 40 characters - Contain at least 1 letter - Contain at least 1 number - Case sensitive, **no spaces, no special characters**
Irodoricomics
A website to buy english-localized doujins. The password must be between 4 and 20 characters long
Itaú Bank
I know, it's in spanish, let me translate this monstrosity for you. - Allowed characters: letters A to Z uppercase or lowercase (ñ is not allowed), number 0 to 9, #, $, %, &, +, -, . :, ;, _. - You must use 8 characters. - The password must contain at least one letter and at least one number. - You can't repeat the same character more than two times in a row. - Avoid using basic character sequences such as "qwerty", "asdf", "1234" or "9876". _Just in case, that's eight characters. Not seven, not nine. That's dumb and insecure enough... What they don't tell you is that the passwords are are actually **not** case sensitive._
Izly by Crous
Izly by Crous is an **imposed** French payment service for the university. You can't pay your daily meal without that because yeah you know cash is an ancient dumb thing. Your username is firstname.lastname@youruniversity.fr or your phone number. We only allow you a fixed 6 numbers password. Oh yeah we also block your account after three failed attempts. How convenient when the only thing you need to know is the name of someone and where they study. How convenient indeed. Oh and also look we got pages **NOT TRANSLATED IN FRENCH** because duh.
Jaa Lifestyle
When we try to change password and accidentally gave a wrong password for confirm password. Lets try to read and figure out what they are trying to point out.
Jitterbit
While not the dumbest password rule, still dumb. Password must have a length of at least eight characters and contain at least one: number, special char `!#$%-_=+<>`, capital letter, and lowercase letter.
Keimyung University
Okay, doesn't looks that hard... But wait, there are hidden rules! Hidden rules: your password can't have 3 times the same character in a row or more than 2 consecutive numbers. Also if your password is 20 characters or more you won't be able to write it in the mobile app.
Kryterion Webassessor
I was quite surprised to see this when I was registering for my Google Professional Cloud **Security** Engineer certification. Nice part is that they **don't allow quotes** as special character, so I assume there possibly might be some other issues on their backends. :-)
LCL
You have to enter your 6-digit password using this Frenchy keypad.
LINE
Password must: - be between 8 to 20 characters - not contain characters that repeat in a row Password must contain three of the following: - an upper-case letter - a lower-case letter - a number - a symbol
La Banque Postale
Password must be 6 digits and entered on custom pad.
Lenovo
Between 8 and 20, not more.
LepidaID
Password must: - be 8 to 16 characters in length - contain at least 1 upper-case character - contain at least 1 lower-case character - contain at least 1 number - contain at least 1 non-alphanumeric character - not contain more than 2 of the same consecutive characters - not contain any public data of the user like username, surname, birthdate, fiscal code, social security number, driver license number, etc. - not contain any common word like first names, common surnames, brands, years, words that can be found in dictionaries... - not used before Moreover password will expire every 180 days. Actually, many swear words are permitted.
Liberty Mutual
Must not contain spaces or the following characters: @/\*%<&+>
LibraryThing
"Your password cannot be longer than 20 characters"
Lloyds Bank
Max 15 characters, min 8. You cannot use **ANY** special characters - alpha-numerics only. This amazingly terrible password policy combines with a known phrase (The "Memorable Information") of which you will be asked for a random 3 characters of if you get your password right. This phrase has similar alpha-numeric restrictions applied.
Lowes
- Be 8 to 12 characters in length - Include at least 1 letter and 1 number - Contain no spaces - Contain no more than 3 of the same consecutive characters
Lufthansa
- minimum of 8 character(s) - minimum of 1 lowercase letter(s) - minimum of 1 uppercase letter(s) - minimum of 1 number(s) - minimum of 1 special character (s)!\"$%&()*+,-./:;#<>?_@\\ - does not match the Username - Not used before, not easy to guess
M and M Direct
- Maximum length of 24 characters - Cannot contain special characters, eg. ! # $ " @
ME Bank
- Must be all numerals. - Be 7 to 20 digits. - Cannot have the same number three times in a row. - Cannot have four ascending or descending numbers. - Cannot have the same number appear more than five times. - Cannot have pairs next to each other if the second pair is one number higher. - Cannot be the same as 8 previous ones.
MKB NetBankár
It only accepts lowercase letters, uppercase letters and numbers (any other character counts as forbidden character). Also, if your password contains any invalid character, it will get marked as "Identical to the former 10 passwords". To make it more fun, during the registration, it allows to set a 24 characters password to login to their website. Once you try to login with the password, it will say that the maximum length accepted is 16 characters. What actually happens, is that they let you insert 24 characters during registration, but only the first 16 will get actually used as password.
MTS Serbia
MTS is a national mobile and internet provider in Serbia and they have bad password rules. Translation: The password must have more than 6 character, less than 17 characters and one of the following combinations: upper case or lower case letter and a number, upper case or lower case letter and a symbol, and a symbol and a number. Characters []<>'&\", are not allowed.
Major League Baseball
When creating a new account they enforce some password rules like: length must be between 8 and 15 characters and there must be one upper case, one lower case letter and one number.
MarketWatch
- Cannot be longer than 15 characters. - Must contain one number. - Cannot contain spaces, %, & or +.
Maxpreps
[Natalie Weiner](https://twitter.com/natalieweiner/status/1034533245839450113?s=19) can't sign in because her's lastname is offensive language for the website
Merrill Lynch
Passwords must be between 8 and 20 characters, and some special characters are allowed. Users with randomly-generated passwords may find it particularly annoying to generate a password that works for their password safe.
Mes Services Étudiant
At least 6 characters, one uppercase letter, one lowercase letter, one digit and one "special character". These do not count as "special characters": `` + - = | @ " ' # ( ) [ ] { } < > / \ ` ;``.
MetLife
Max length of 20 characters, no special characters allowed. Pasting into the second password field is disabled even with the Chrome extension Don't Fuck With Paste.
Michigan.gov
Must use special characters, but only from this list of stuff we think is safe or whatever.
Microsoft (e company store)
Max of 16 character oh and please don't use any characters we don'y know how to escape properly also if it starts with ? you may break our wonderful website. What out with your password generator duplicated characters is far too insecure to allow here.
Microsoft (work accounts)
What doesn't seem to be a problem for personal accounts, is for work accounts from Microsoft (e.g. Office 365 etc.). Maximum 16 characters. So forget about using your new fancy diceware password here - or really any secure passwords in general. Oh - and besides that, please don't use any "exotic" symbols, like ¤ or €. Or the letters Æ, Ø or Å from the Danish alphabet. They all are supposedly "spaces".
Mindware
You "*may use special characters*", but only some of them - and we won't necessarily tell you which ones.
Minecraft
Using a 16 character password seems to work. Everything else above does not always work. Also, passwords that are too long are still changed, so you have to reset them by email.
Minnesota Unemployment Insurance
Locked to *exactly* 6 chars, alphanumeric only, not special chars.
Mobi Bike Share
Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.
MobileIron MDM
You can't make this up - no dictionary words, no more than 2 repeating characters, no alphabetic sequences, no whitespace, 3 character sets, maximum of 32 characters.
Mobility
The username is the customer number, which is sequential and cannot be changed, currently 7 digits long for new customers. The password has to be exactly 6 digits long, only numbers allowed.
Moose Mobile
Moose mobile is an Australian mobile service provider that imposes poor password requirements. "The password must be of minimum 4 and maximum 15 characters. The Confirm Password field may only contain alpha-numeric characters."
Movistar
Min 7 and max 8 characters for password! Also to be different than the username: the user name is automatically generated and is based on the surname of the user with some characters replaced by digits :) Has been that way for more than 10 years.
My Prepaid Center
Only six legal special characters; maximum password length is 20 characters.
MySwissLife
User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.
Mycanal
- Minimum of 8 characters - Contain at least 1 uppercase character or 1 number - Can not contain these characters : ‹ › ' "
NASA Earth Data
Username must: - Be a Minimum of 4 characters - Be a Maximum of 30 characters - Use letters, numbers, periods, and underscores - Not contain any blank spaces - Not begin, end or contain two consecutive special characters(._) Password must contain: - Minimum of 8 characters - One Uppercase letter - One Lowercase letter - One Number
NBA Store
- Password cannot be longer than 20 characters
NBC (National Bank of Canada)
- Password length must be 8 to 25 characters - Password must contain at least one lower letter (any position) - Password must contain at least one digit (any position) - Password cannot contain spaces. - Copy/paste is not allowed when trying to set a new password
NBank
User ID *has to* contain special characters, password *may not* contain (basically) any special characters.
NVV (Nordhessische VerkehrsVerbund)
Password length must be 4 to 10 characters with only a few special characters allowed.
Nachbarschaft.NET
"Mindestens 6 und maximal 12 Zeichen" - or in English: "At least 6 and max. 12 characters.
Nectar API
The Nectar website allows strong passwords. However, when trying to link my Sainsbury's account, I found the API has different ideas... - Password field length capped to 16 characters
Nelnet (student loan servicer)
8 to 15 characters and no spaces? Why no spaces? Also limited to only these 6 special characters. That could mean that there is some process somewhere that puts this as part of a command line invocation.
NetBank (Commonwealth Bank of Australia)
When resetting your NetBank password, the website only informs you that you can create an alphanumeric password, despite the fact that you can use special characters. And also, it's password strength calculation is shit. An 155 bits of entropy password is "weak." Additionally, passwords are case-insensitive. This isn't the worst I've seen, but on a bank, it's just bad. - Password length capped to 16 characters (min. 8) - Disallows use of <>^{}~= (interestingly, not quotes. so I wonder why these aren't allowed?) - Must include at least one number
Netflix
[The help page](https://help.netflix.com/de/node/54078) and the [password reset page](https://www.netflix.com/password) say: Ihr Passwort muss zwischen 4 und 60 Zeichen lang sein und darf keine Tilde (~) enthalten.
NetworkRail Open Data Feeds
Does require special characters but limits password length to 20.
Nevada DMV
- Password length must be exactly 8 characters in length - Password must contain at least one letter (any position) - Password must contain at least one number (any position) - Password must contain one of the following special characters: @ # $ - Password is not case sensitive
Nintendo
Password between 8-20 characters, at least two "categories" of characters, and cannot use the same character more than twice in a row. At least it supports MFA.
NordVPN
- Password cannot be longer than 48 characters.
O2 Spain
When registering in *Mi O2* app, password length must be exactly 7 or 8 characters (numbers and letters only). As O2 is part of Telefónica (Movistar), it seems to use the same backend (at least in Spain), so it has the [`same password requirements`](https://dumbpasswordrules.com/sites/movistar/).
Omnivox
Password length must be 8 to 20 characters long with lower case characters and numbers only.
Onleihe
Password is your birthday in format ddmmyyyy. Users are not allowed to change their passwords
Oracle
*Should not* or *must not*? RFC 2119 may want a word with you.
Origin
Password must be between 8 and 16 characters long
PCPartPicker
There are no rules for passwords. Passwords can be any length (including one character) of any complexity. No password change confirmation emails are sent.
PagoMisCuentas
Password must be between 8 and 15 alphanumeric characters, and have at least one uppercase and one lowercase letter.
Parnassus Investments
A site responsible for protecting your investments limiting you to a four character range with a bunch of other stupid rules? Shocking.
PayPal
Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol... The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!
Paytm
Password must be between 5 and 15 characters. Also, spaces don't count as characters.
PizzaHut
Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.
Pole-Emploi
Password must contain at least one letter, one number and one character from `&-_@*%=.,;:!?` only. It rejected passwords generated by pass, while accepting `p@ssw0rd!`... They also block pasting on the password confirmation field, forcing you to manually type your 32-letters-long generated password.
Polytechnique Montreal
Passwords must have a minimum length of 8 characters Passwords must have a maximum length of 30 characters Passwords must contain a minimum of 2 digits Passwords must contain a minimum of 2 letters Password must be different than the last one used Passwords may contain these special characters (! & % $)
Premera Blue Cross
Password must contain 8-30 characters, including one letter and one number. "Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`
Progressive Home by Homesite
Password must be a minimum of 8 characters. Passwords must have one lowercase character. Passwords must have one uppercase character. Passwords must have one number. Passwords must have one special character in the following list: `!'#$ ~`!@#$%^&*()-_+=?<,>.{}[]|;:` Furthermore, when resetting your password, it allows for up to 20 (i haven't tested past this) characters. However, when you log in, it only allows passwords up to 12 characters in length. So that newly created password will work once and only once.
Raiffeisen Bank Serbia
There are a couple of password limitations when creating a new account (and changing existing password) on Raiffeisen Bank Serbia on-line banking portal. Password length is limited to minimum 8 and maximum 32 characters. Also, minimum uppercase letters 1, minimum lowercase letter 1, minimum digits 2, minimum special characters 0 (Ok...), maximum consecutive identical characters 4 and first character must be a letter. Image shows the password update screen, but the requirements are the same for account creation.
Really Useful Storage Boxes
- Have a length between 8 and 20 alphanumeric characters (without accents) - Contain at least 1 CAPITAL letter - Contain at least 1 lowercase letter - Contain at least 1 numeric character - Contain at least 1 special character taken from the following list: *$@&()[]{}=#.-!?+/£€%
Red Hat
Symbols. You keep using that word. I don't think it means what you think it means.
Rediff
A maximum password length of 12. The hidden requirements are: - at least 1 uppercase letter - at least 1 lowercase letter - at least 1 numeric character - at least 1 special symbol (which can not be ^, %)
Replit
Forces to use minimum 8 characters in the password and it must contain at least one uppercase.
Return of Reckoning
Password must be between 6 and 100 characters. It doesn't say on the website, but the password only works in the related game client if it is purely alphanumeric. Not even special characters like % or $ are allowed.
Rogers
I can only use 4 special characters? Password guidelines - Your password should be between 8-20 characters and have at least one number and one letter. - The following special characters are allowed: ! @ # $
Roll 20
Your new password must be at least 4 characters long and no longer than 40 characters. Your password was not changed.
Runescape
A minimum password length of 5, and maximum password length of 20. Does not tell you that your password is NOT case sensitive. Hidden requirements: Alphanumeric only, no symbols, no repeated characters.
Rushmore Loan Management Services
Hmmm.. why are they afraid of double and single quotes in my passwords?
SAP Cloud Appliance Library
Passwords between 8 and 9 characters are the best.
SAS Eurobonus
The best thing about rules, is that you can multiple different ones! Like SAS that allows you to have a long password at least when signing up, but you'll be sorry if you want to change your password later on.
Safeway
Passwords limited to 8-12 characters.
Sampath Bank
So many rules!
Saturn
Passwords need to be between 8 and 15 characters.
Scandinavian Airlines
The password rules itself is fine, but, it doesn't inform about the max length of the password. Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it. In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteria**, and could login with **Super_l0ng_pas** Answer form SAS customer service: > Hi, > Thank you for your e-mail. > Our website only takes 14 characters as a password, so somehow when you registered it took all 49. > But since our website only asks for 14 characters anything after will be valid. > I would advice you to change your password. > Have a wonderful day.
Sears
"cAsE sensitive, no spaces, ! or ? 8 characters min - 1 letter, 1 number Can't repeat same character more than 3 times in a row Cannot be or contain your username or email address"
SecureAccess Washington
Central authentication for all Washington State services (DoL, ESD, etc). Password must have *exactly* 10 characters, but form happily lets you enter more and only throws errors after submit, providing no useful feedback.
Securvita BKK
Your password can not exceed a length of 30 characters. However, they don't tell you this: If you try to set a longer password, they instead shame *you* for not including at least one uppercase letter, one lowercase letter, one digit and one symbol – *even if you did*. The error message translates to: > The password must contain uppercase letters, lowercase letters, numbers, and symbols.
Sephora
Password must be between 6 and 12 characters. No other rules specified.
Seur
Password must be between 8 and 12 characters... Also no symbols are allowed. But this isn't displayed.
Sharekhan
- At least 8 characters. - At most 12 characters.
Shell Fuel Rewards
- No less than 8 and no more than 16 characters - Allows only specific special characters: ! @ # $ % - Doesn't bother to tell you what characters are allowed or not. Hope you like reading JS.
SielteID
Sielte is one of the four Italian digital identity providers of level 3 (the highest available). The rules are as such: - At least 8 characters - At most 16 characters - Must have both lower and upper characters - Must have one or more digits and one or more of the following "special characters": `~!@#$%^&*()_-+={}[]\|:;"'<>,.?/-` - Must not have more than two identical consecutive characters Italian vowels with accents are considered to be invalid. Both the old and the new password are sent to the server without being hashed first. Validation happens on the server side only.
Singapore Airlines
`/[0-9]{6}/`
Sky Ticket
Sky is a german pay-TV provider with over 23 million subscribed users worldwide. They also have an online streaming service called "Sky Ticket". You can only set a **4 digit long PIN** with no option for two-factor authentication or any additional security mechanisms.
Slovenska sporitelna
Slovenska sporitelna is the biggest bank in Slovakia. Despite pretty new version of the internet banking (rolled out in 2018), their password policy restricts password to be 16 characters long at most and prohibits any special characters.
South Western Railway
Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦
Southwest
Password must be between 8 and 16 characters in length and include at least one uppercase letter and one number. Certain special characters are also allowed, but the first character of the password must be alphanumeric.
Sparda-Bank
Sparda is a group of German banks. They all use the same login form (except for Sparda-Bank Berlin, see below). Their equivalent of a password is called *Online-PIN*. As the name implies, only digits are allowed. (*Zifferneingabe* means "digit input"; it opens an on-screen number pad widget.) Not mentioned explicitly: Your PIN is limited to 6 characters, i.e. the range of valid "passwords" is from `000000` to `999999`. The odd one out is Sparda-Bank Berlin, which has different rules: - At least 8 characters. - At most 20 characters. - Only the following characters are allowed: a-z, A-Z, ä/Ä, ö/Ö, ü/Ü, ß, 0-9, and the "special characters" `@!%&/=?*+;:,._-`. - Your password must use either digits only (like a PIN) or at least one digit and at least one uppercase letter.
Sparkasse
„Sparkasse“ is a group of banks which is pretty popular in Germany. It calls its passwords „PIN“ („persönliche Identifikations-Nummer“ — personal identification number), the rules are pretty horrific and its not even a number, even though it is called as such! Here is a screenshot from the branch where I am from (Jena, Germany), but since they have a central IT, I think it will be identical in other branches: The rules are as such: - Only 5 characters - Small letters (a-z) - Large letters (A-Z) - Numbers (0-9) - „Special“ characters: ä,ö,ü,Ä,Ö,Ü and ß (Not surprising for a german Company) After the rules there some hints on how the password should not look like: - Combinations of your initials and the birth year - Your phone number or parts thereof - Your zipcode - Common combinations like 123ab or 55555 - Full or parts of your login credentials They also have this Android app for 2FA (called Push-TAN), but the rules are different: - At least 8 characters - At least one digit - At least one special character - Upper- and lowercase letters
Sprint
Sprint "upgraded" their security and disallow special characters.
Standard Chartered Bank
- Between 8 to 16 characters - Only letters and/or numbers
State Bank of India (Foreign Travel Card)
State Bank of India is the largest government operated bank in India. They offer "travel" prepaid cards for foreign currencies, this is for their portal for the prepaid card users to manage their account. Your password must: - Be between 8 and 9 characters long - Contain at least 1 lowercase character - Contain at least 1 uppercase character - Contain at least 1 special character - Contain at least 1 number - NOT contain any "hacking characters" - #, %, &, =, /, <
Stuttgart Media University
Your password has to be between 10 and 14 characters. Also, you need to have at least one number, one uppercase letter and one lowercase letter. And at least one of these special characters: ```!.,;+-=#$()[]{}&*```. But don't use any of these special characters: ```<>|§@€?:%^\"'`°~```. And don't use any umlauts. Or spaces. Or [diacritics](https://en.wikipedia.org/wiki/Diacritic). Finally, you can't have more than five letters in a row.
SunLife
- 8 to 10 characters - At least 1 letter and 1 number - No spaces, symbols, or accents
SunTrust
At least there are a variety of special characters to choose from.
Suncorp
To "improve security" and "be password savvy", passwords must: - be six to eight characters long - Contain both numbers and letters - Include upper and lowercase letters
Sunny Portal
The password must consist of at least 10 and at most 50 characters. It must contain at least one special character, one number, one lower-case letter and one upper-case letter. The following characters are permitted for the password: - Lower-case letters (a-z) - Upper-case letters (A-Z) - Digits (0-9) - Special characters (!\"§$%&/()=?*+'#-_.:,;|{[]}²³^°)
Synchrony Financial
Financial services - where we don't allow you to create the strongest password possible.
T-Mobile
We prefer to not tell you which characters you can use up front.
Taco Bell
Password may include special characters, except for #.
Taiwan Pingtung University
Password must: - Be between 8 ~ 15 characters long. - Exceeding 15 will result in an account lockout instead of erroring on submit. Otherwise, the max character length should be 20. - Contains at least 1 number character - Contains at least 1 lowercase character - Contains at least 1 uppercase character - NOT contain any special character - This rule is not listed on the official page; however, attempting to use a special character will result in an exception.
Tangerine
Your PIN can only contain numbers and must be between 4 and 6 numbers.
Tanishq
Password must contain: - 6 to 16 characters. - At least one special character (@, #, $, %, * and & only). - At least one alphabet. - At least one number.
Targobank
Your password must: - must not be your username - must at least eight characters - must contain at least one number character - must contain at least one uppercase character and 1 lowercase character - must not contain spaces - must not contain three identical characters in a row - must not contain three consecutive characters - must not contain special characters or umlauts
Techcombank
Your password must: - Be between 6 and 8 characters long - Contains at least 1 number character - Contains at least 1 lowercase character - Contains at least 1 uppercase character - Neither space nor unicode character is allowed. In fact, NO special characters is allowed - Must be changed every 90 days
Technishe Universität Hamburg
- Former passwords cannot be reused. - Passwords needs to be changed every 180 days - The new password must not contain your login nor parts of your name. - It should be at least 12 characters long, at most 20. - The password should contain characters of at least 3 of the following classes: - upper case letters: A-Z - lower case letters: a-z - digits: 0-9 - the following special characters: !#$%()*+,-./:;<=>?@[]_{}
Telcel
- The username is the cell phone number (easy to get) - The company creates a password between 8 and 12 characters for you - Password must contain at least 1 capital letter and no special characters
Telekom/T-Systems MyWorkplace
Telekom's MyWorkplace is a Single Sign On / login hub for their Open Telekom Cloud which is basically an Amazon AWS clone. It's rather new and especially for business customers. Especially because it is for business customers, there's absolutely no reason to limit a password to 16 characters. Even special characters are limited to a certain set.
Testprep Training
The max password size is 20 characters
Thames Water
Can only use the "special" characters on that very limited list, excluding symbols so exotic as an underscore, even. This is despite their own strength checker saying the password is strong.
Three
Password must be at least 7 characters long. The maximum length is inconsistent, however: when changing password, the maximum length is 30, but when resetting password via email link, the maximum length is 12.
Ticketmaster.de
Your password length is limited between 8 and 32 characters.
Trade Me
Won't allow spaces or single quotes. Maybe other characters as well - they do not say up front - but the password they accepted contained lots of other special characters.
TreasuryDirect
Will allow most passwords longer than 8 characters. Doesn't tell you there is a maximum length of 16 characters. Then forces you to type it with an on-screen keyboard with no capital letters.
Trenitalia
- Password must consist of at least 8 characters - Must contain at least one lowercase character - Must contain at least one uppercase character - Must contain at least one number - Must contain at least one special character - The only allowed special charaters are _*-+!?,:;. - Pasting into the confirmation form is disabled, so you have to manually copy the password from your password manager.
Turkish Airlines
- Your password must consist of 6 digits - Make sure that your password does not contain your date of birth or three consecutive digits... - but two is OK, for sure. - ... and that the same number is not repeated three or more times. - but two times is probs OK
Twilio
Restriction in inclusion of characters such as 'Twilio' in password. Password must be 16 or more characters & Can't include 3 or more consecutive repeated characters.
TwinSpires
You can gamble on our site. We'll keep your money secure with a 12 character password!
UL Standards
- Passwords must be between 8 and 12 characters - Passwords cannot contain any blank spaces - Passwords must contain at least one number, one uppercase letter, and one lowercase letter. - Password Reset will randomly fail for no reason.
URSSAF (French employers tax collection service)
When setting a new password: Password must be exactly 8 characters, at least 1 letter, at least 1 number, but no special characters.
USAA Bank
Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.
Ubisoft
Only tells you the rules after submitting and clicking a link to a pop up window.
UniSuper
Passwords need: - a lower case letter - a number - a capital letter - at least 8 characters In the 'Change password' form, passwords are now restricted to a `maxlength` of 18. If your current password is longer than 18 characters, you won't be able to change your password. When I contacted them about this, they "passed on" my "experience and concerns" for review and simply reset my password. Now I wish I'd just said nothing and kept my 50-character password.
Unicaja
Username is your national Spanish ID (easy to find). Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard
United Airlines
Security questions (and their answers!) must both be picked from dropdown menus with a limited number of answers and there is no option for unique answers.
United Kingdom Post Office
Will not allow you to copy-paste your password into the text box (e.g. from a password manager). Because allowing people to copy their passwords over will defintely not result in weak passwords :)
United Parcel Service of America
Your password must: - Be between 7 and 26 characters long - Contain at least 1 lowercase character - Contain at least 1 uppercase character - Contain at least 1 number character - Contain one special character (!@#$%*) - NOT contain first or last name - NOT contain UPS user ID - NOT contain email address
United States Department of State MyTravel.State.Gov
- Must be between 12 and 24 characters. - Must contain at least one uppercase and one lowercase letter. - Must contain at least one number. - Must contain at least one of the following special characters: ~ ` ! @ # $ % ^ & * ( ) _ - . ? { } [ ] | : ; " ' = + / , - Password must not match or contain: first name, last name, email address. - Unicode characters are not permitted. - Must not be one of the previous 24 passwords.
United States Postal Service
Pick from an arbitrary list of symbols, and no repeating characters.
University of California San Diego
Passwords must be between 8 and **11** characters long!
University of Texas at Austin
Because of the last two rules, which ban dictionary words and any variants using symbol substitutions, *neither* of the passwords presented in the [xkcd comic](https://xkcd.com/936/) are allowed.
University of Western Australia (Pheme)
Passwords: 1. Must contain at least 8 characters; 2. Must contain at least 3 out of 4 types of characters (uppercase letters, lowercase letters, digits, special characters); and 3. Must not contain "the user's account name or parts of the user's full name that exceed two consecutive characters". **New passwords are silently truncated to 30 characters.** Inspecting the change password input field reveals a `maxlength="30"` attribute, but this isn't obvious to the average user because the field isn't physically wide enough to see the truncation. There is no warning or error message. If you subsequently try to login with the untruncated password, it doesn't work because the password input field on the *login* page *doesn't* have a `maxlength="30"` attribute (and neither does the input field for Outlook email). Passwords must be changed every 6 months.
University of Windsor
The password policy applies to alumni as well. Must be at least 10 characters long, with at least 1 upper case and 1 lower case character, at least 1 number, at least 1 special character. Password expires every 120 days, and you can't reuse an old one.
Vancity Credit Union
Personal Access Code (or PAC–they are too ashamed to call it a password), must be between 5 to 8 digits and cannot start with '0'. (no letters or symbols)
Very.co.uk
Password field allows *only* the listed Special Characters ($ . , ! % ^ \*). You're also forced to use both upper, and lower letters, as well as a number.
Vietnam Airlines
`[[:alnum:]]{6,8}`
Vio Bank
The password requirement is not even fully enumerated. Upon inspection of the source code, the following lines were found, hidden by javascript: "Must include at least %MINSPECIAL of the following characters:-.~!@#&_{}|:$%^*()=[];?/+" The actual list of special characters that are prohibited is correctly enumerated there. It's a result of [`a misapplication`](https://cibng.ibanking-services.com/cib/scripts/jquery/custsvc/custSvcChangePassword.js) of the [`variable allowedSpecialCharacters found here`](https://cibng.ibanking-services.com/cib/scripts/jquery/custsvc/fis-visual-validator.js?version=20180507). It took under 5 minutes to find the bug after looking at the source for the first time. This is a bank.
Virgin Media
Your password needs to be between 8 and 10 characters long, with no spaces, and must contain only numbers and letters. The first character must be a letter. Feb 2020 Update: policy remains the same but the description is hidden leaving you to guess the acceptable length/chars. Users are now left with helpful hints after JS validation.
Virgin Mobile
You can only use PIN as your password.
Virgin Trains
Your password needs to be between 8 and 10 characters long. Previously this would silently truncate the password without warning, causing confusion when the password wouldn't work.
Vistara
Password must contain: - 8 to 12 Characters. - At least one lowercase and uppercase letter. - At least one numeric character. - At least one special character (!, @, #, $, %, %, ^, &, +, =). Must not contain space, first or last name.
Vélib’ Métropole
Your password must be at least 10 characters, with at least 1 uppercase character, 1 lowercase character, 1 number and 1 special character (only from this list: @, $, €, #, %, *, ., ;, !, ?). You're not allowed to paste passwords.
Wageworks
In addition to the following rules regarding passwords... - 8-20 characters in length - Include at least 4 of the following: lowercase letter, uppercase letter, number AND symbol - Not include your last name, first name or space Your new password should be different from your previous twenty passwords. Ok. Password21!, it is.
Walmart
Your password must include the following: - 8-100 characters - Upper & lowercase letters - At least one number or special character
Waze
After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters. The form does not mention anything about special characters. Waze is owned by Google.
WeatherBug
Maximum 16 characters.
WellStar MyChart
Your password must be between 8 and 20 characters.
Wells Fargo
Your password must be between 8-32 characters long and inexplicably doesn't accept `-` but does seemingly accept other special characters.
Wells Fargo Identity Theft Protection
Your password on an Identity Theft Protection service is limited to between 8 and 20 characters. Your username is allowed to be longer than your password.
Westpac Live Online Banking
Password rules: - be between 8 and 30 characters - include at least 1 number, 1 letter and 1 special character (@#%^ etc) - have no more than 2 repeating characters (AAB not AAA) - not contain spaces - not be the same as your last 3 passwords
Whitcoulls
Your password must: - be between 7 and 15 characters - contain a capital letter - have no spaces (shown only when you go to change it)
Williams-Sonoma
25 maximum characters and disallowing some specials.
Xfinity Modem
Only letters and numbers are valid. No spaces or special characters. Seen on model TG3482G. ARRIS Group, Inc. Firmware: TG3482PC2_3.5p17s1_PROD_sey
Zurich
Password must be EXACTLY 8 characters long. Alpha numeric characters ONLY. The first character must be alphabetic. NO spaces. The new Password cannot be the same as the last 32 passwords you have used. (they actually store your last 32 passwords)
amaysim
Passwords must be 6-15 characters. If you enter more than 15 characters at signup, there is no error, but the system apparently silently truncates to 15 characters. So of course, logging in subsequently fails if you enter the untruncated password. How convenient.
myRTA
The Roads and Traffic Authority's 'Online Services' website for New South Wales, Australia. Password rules: - Must be between 6 and *10* characters long - Must be a combination of letters and numbers - Cannot be the same as any of the previous two passwords, including the current password - Is case sensitive