Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
Max length of something under 18 …
Irks my gears
I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).
More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.
Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.
Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don’t have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it’s not forgotten. I have to have browsers autofill for me because of this shit.
In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.
Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It’s fucking bullshit. StateFarm does this too.
Using a password manager is a lifesaver for this :) there are open source ones like KeePass and you can sync the encrypted file across devices using Dropbox or similar
I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it’s something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get “hacked”, which is usually just another student logging into their account and deleting their assignments.
Password needs one special character.
Not at least one. Exactly one.I add to make a password last fall that had the requirement “numerals or special characters”. A password with both numerals and special characters wouldn’t work.
I hate any password requirement that says “special characters” but has a list of exceptions, like no
. , ! ;or empty spaces. Just tell the user to make a passphrase, enforce at least one empty space and, dunno, 25 characters minimum, and bam. It’s not like hackers try brute force anymore, they just hack insecure DBs full of user data and use that everywhere.Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)
When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.
I then contacted the support, and they did manage to reset the second password anyway. (What is this even)
Worked somewhere that required security clearance that used your national insurance number (UK equivalent to SSN) as your login id. Most people in the UK do not memorise their NI number.
Password had to be uppercase and lowercase letters, numbers, and special characters, I think at least 12? Couldn’t have back to back special characters or start or end with numbers. No whole words, either.
So now you have to remember two strings of letters and numbers. Sackable offensive to write either down. I once got a phone call from security because I would miss enter my password after lunch first time around, just once a day, but they rang me up still to see what going on.
Security there was a nightmare, worked with an obviously disabled guy, who forgot to put his disabled badge on his car dashboard and they threatened to ban him from site (which would result in the sack as you couldn’t work remotely). The kicker was that they said we know you forgot to put the badge out, so they knew he was disabled as all car registrations are preregistered only way onsite.
The worst I’ve ever seen was a site that required passwords to be 4 digits.
My old bank required you to have a password 12 characters long exactly, and to login you have to give the characters in specific places.
I would ask you what are the 4th, 7th, and 11th letters of your password.
Anyone want to guess why that aren’t my bank anymore?
Oh yeah, mine has that as one of the options, but they’ve beefed it up a little. You also have to enter your date of birth and then they send a text to a pre-arranged number with a further 6-digit PIN that also has to be used.
Not really a requirement, but my WiFi router has the admin password written on it as usual, but when you enter it and click ok, the password field fills up with characters and login doesn’t work. What has to be done instead, is you have to click forgot password, enter the same password you just got denied with, and after changing it (to the same password) it just boots you into admin mode. You don’t even have to confirm tour identity.
I would slam OpenWRT on that shit so hard that the pisshead OEM firmware dev would feel it
Wikipedia’s minimum password length is 1 character
5
The oddest I’ve ever encountered: EXACTLY 15 characters long. No more, no fewer. 15.
Honorable mention: Various online accounts where I used my password manager to generate a long, secure password, which the website accepted without warning or error. I was then locked out because their user management system could not handle such long passwords (had to create a second account with a much shorter password to find that out) 🤣
A university I worked at had a similar policy to the first one.
They wanted a single username and sign on across all IT systems but also had some really old legacy systems that didn’t support long passwords.
So they’d force everyone to use passwords that were exactly as long as the maximum legacy password length.
For me, the worst system is the Microsoft authenticator which locks me out my account for five minutes if my fingerprint doesn’t match the first time I try.
The first one is absurd. The second one is straight up messed up.
Not so much password requirements as just a completely removed implementation:
To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.
I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd
So she asked me to check that system for more issues
Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…
This is a tip of a very big iceberg there
This has to be the best one here. The sheer lack of understanding of how to authenticate an account by the dev.
