README.rst

Dumb Password Rules

Shaming sites with dumb password rules.

Contributing

Feel free to submit a pull request with dumb rules you've encountered.

See other sites for the formatting and follow these rules:

Include the name of the site with a link.
Add a clean comment about the dumb password rule (optional).
Include at least one screenshot.
Keep the sites in alphabetical order.

Admiral

Restrict the inclusion of a % character.

ADP

Forced to change the password during the first login. At least they could use proper grammar in their rule list.

Advanzia

Requires at least 6 to a maximum of 12 characters [sic!]
Allows only digits and letters without umlauts
Allows only specific special characters: ? ! $ €% & * _ = - +. ,:; / () {} [] ~ @ #
Allows no spaces

Air France

Between 8 to 12 characters
Should contain capital, lowercase letters and numbers

American Express

Sometimes I forget that caps-lock is on, glad it doesn't matter.

Ameli.fr (French national health insurance)

This was very painful to find a password that works with this one and that I can actually remember (I ended-up using my bank-account number because everything else failed). It took me maybe one hour and I thought I would become crazy (and yes, the session expires frequently while you are actually thinking about a password).

The password must be more than 8 characters
But you cannot use more than 13 characters
You can only use digits
You cannot use your birthdate or your login
You cannot use a sequence of digits (if your password happens to contain 56 or 89 it will be rejected)
You cannot repeat the same character (if your password contains 22 or 55 it will be rejected)

AmeriHealth

Their site says "All information is kept safe and secure." Just not as secure as you'd like.

User Password must be between 6 and 14 characters and contain 1 numerical value.

AmiAmi

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

AOL

Between 8 and 16, so I can't go up to 20. Oh, and thanks for restricting one of the most common special characters!

Apple

Can't contain 3 or more consecutive identical characters.

Arbeitnehmeronline

Service for managing employment documents of the German company Datev.

Only the following character categories are allowed: Letters, numbers and this special charaters set: !#$%&()*+,-./:;<=>?@[]^_`{|}~äöüßÄÖÜ

Arlo

Your password contains characters not listed. Therefore, they do not match.

AT&T

The only special characters allowed are underscores and hyphens.

Banco Mercantil

8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.

Bank Millennium

Passwords limited to 8 digits.

Battle.net

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.

A real time travel adventure through the password rules of 2005!

BBVA

Username is your national ID (easy to find) and your password must have up to 6 alphanumeric characters only.

For a bank account with all your money in one of the largest financial institutions in the world.

Bendigo Bank

Exactly eight characters.

BDO

Please nominate a password which contains UPPERCASE, lowercase, numbers and symbols. Password should not be the same as the user ID. Avoid using consecutive characters such (ex. abc, DEF, 678) and invalid characters such as [!#$%^&';"].

Best Buy

You can enter whatever password you like! But you probably don't want to make it too long, because you'll break us and you'll never be able to login again.

Blackrock

They force you to enter a password that has 8, 9, or 10 characters, then they lecture you on how to create a strong password.

Blue Cross Blue Shield Massachusetts

16 maximum and no special characters. Protecting your US healthcare information.

BMO Bank of Montreal

Password must be exactly 6 characters long and no special character.

BMW ConnectedDrive

Although the prompt suggests good things, after many failed attempts to set a new password, it turns out you can ONLY use the special characters shown in the prompt

Boursorama

"To ensure the highest level of security, your password must have... 8 digits". And it must be entered using a funny keypad with the digits in the wrong order.

California Department of Motor Vehicles

They also prohibit pasting into the password field by using a JavaScript alert() whenever you right-click or press the Ctrl button, so you can't use a password manager.

Chegg

Here are the (only fairly poor) rules for a new password. Enter 64 character password that matches all the rules (notice no rules on maximum length). That password you entered looks good! But we didn't change it. And your old password doesn't work. Or the new one. ¯_(ツ)_/¯

Canadian Imperial Bank of Commerce

Letters and numbers only, no symbols. Also an undocumented maximum of 12 characters!

Comcast

Your password should be difficult to guess as long as it's not over 16 characters long.

Copyright.gov

I wonder if they cooperate with NSA to enforce the password rules.

DBS Bank (Singapore)

[[:digit:]]{6,8}

Dell

Okay at least 6, that's alright i guess. Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

Delta

It's a good thing they don't store personal information such as your passport number... oh wait.

DJI

The symbol \ is banned without a notice, it'll probably escape whatever you'll put in, just why...

Dutch Tax Authorities (Belastingdienst)

At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password. No more than 3 of the same characters. At least 1 upper case and 4 lower case characters. No more than 3 special characters.

It's not like hashing passwords is a thing or something.

Easyjet

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

El Corte Ingles

Min 6 and max 8 characters for password! Can't contain anything different than letters and numbers. Apart, the email address must have at least 8 characters (sorry million dollar domain owners! :D)

E-learning (Unipd)

Exactly 8 characters for password! There must be at least 1 lowercase letter, at least 1 uppercase letter, at least 1 number and at least 1 special char ( * , . $ # @ etc...).

$e-learning (Unipd)$

Fidelity

No more than 20 characters and leave out characters commonly used by programmers. We don't want you to hack the mainframe.

Fidelity National Information Services

White label online banking provider. Typically appears as BANK.ibanking-services.com or BANK.ebanking-services.com. If your small local bank has a crappy online banking experience, these guys probably provide it.

\<>' and spaces prohibited, upper bound. Passwords of exactly the maximum length are truncated by one character. Unlisted prohibited characters.

EON

By the time I'd finished reading the rules I've forgotten all of them.

Global Entry

"Our duties are wide-ranging, and our goal is clear - keeping America safe."

GoDaddy

Some characters are too special.

GoDaddy SFTP

Max 14 characters for the most important password in your shared hosting environment.

Her Majesty’s Revenue & Customs (UK Tax)

We store basically all of your data, but we can't store your password.

Hetzner

8 or more characters
At least one uppercase and one lowercase letter
At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:

Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ? + # - . , ; : ~ * @ [ ] { } _ ° §

You can't use &<>'"\|´`, spaces and any other non-ascii character.

ING a dutch bank in almost 50 countries

Max 20 characters, must have one number, one upper case character and one lower case character. You can only use certain special characters. When i asked about it they answer that it's really hard to change it. When i asked if the password is saved as a hash or just plain they send the answer to the technical department this was march 2018.

ING Australia

4 numeric digits. "Added security" by randomising the positions on the keypad. Must be clicked.

ING Romania's Internet Banking Portal

No more, no less than 5 digits. This is the password you use to log in and to confirm online transactions. They used to have "normal" passwords and they forced everybody to change to the 5 digits versions. They said they've made it "so it's easier for you" and it's OK, because everybody has 2FA.

Inria

This is the account for those who work at Inria <https://www.inria.fr/> "the French national research institute for the digital sciences".

You have to wonder what's wrong with these special characters but not the other ones.

Password expiration once a year
Your password must contain at least 8 characters.
Your password can't be a commonly used password.
Your password can't be entirely numeric.
Your password cannot contain non ascii chars
Your password cannot contain ^ " ' space ; /
Your password must contain at least 2 punctuation
Your password must contain at least 1 uppercase
Your password must contain at least 1 lowercase
Your password cannot contain your login (or substring of login)
Your password cannot contain your last name (or substring of last name)
Your password cannot contain your first name (or substring of first name)

Intel

Izly by Crous

Izly by Crous is an imposed French payment service for the university. You can't pay your daily meal without that because yeah you know cash is an ancient dumb thing.

Your username is [email protected] or your phone number. We only allow you a fixed 6 numbers password. Oh yeah we also block your account after three failed atempts. How convenient when the only thing you need to know is the name of someone and where they study. How convenient indeed.

Oh and also look we got pages NOT TRANSLATED IN FRENCH because duh.

Jitterbit

While not the dumbest password rule, still dumb.

Password must have a length of at least eight characters and contain at least one: number, special char !#$%-_=+<>, capital letter, and lowercase letter.

LibraryThing

"Your password cannot be longer than 20 characters"

Maxpreps

Natalie Weiner can't sign in because her's lastname is offensive language for the website

Merrill Lynch

Passwords must be between 8 and 20 characters, and some special characters are allowed. Users with randomly-generated passwords may find it particularly annoying to generate a password that works for their password safe.

Major League Baseball

When creating a new account they enforce some password rules like: length must be between 8 and 15 characters and there must be one upper case, one lower case letter and one number.

MetLife

Max length of 20 characters, no special characters allowed. Pasting into the second password field is disabled even with the Chrome extension Don't Fuck With Paste.

Microsoft (work accounts)

What doesn't seem to be a problem for personal accounts, is for work accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exotic" symbols, like ¤ or €. Or the letters Æ, Ø or Å from the Danish alphabet. They all are supposedly "spaces".

Mindware

You "may use special characters", but only some of them - and we won't necessarily tell you which ones.

MKB NetBankár

It only accepts lowercase letters, uppercase letters and numbers (any other character counts as forbidden character).

Also, if your password contains any invalid character, it will get marked as "Identical to the former 10 passwords".

To make it more fun, during the registration, it allows to set a 24 characters password to login to their website.

Once you try to login with the password, it will say that the maximum length accepted is 16 characters.

What actually happens, is that they let you insert 24 characters during registration, but only the first 16 will get actually used as password.

Mobi Bike Share

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: 1234.

Movistar

Min 7 and max 8 characters for password! Also to be different than the username: the user name is automatically generated and is based on the surname of the user with some characters replaced by digits :)

Has been that way for more than 10 years.

MobileIron MDM

You can't make this up - no dictionary words, no more than 2 repeating characters, no alphabetic sequences, no whitespace, 3 character sets, maximum of 32 characters.

Mycanal

Minimum of 8 characters
Contain at least 1 uppercase character or 1 number
Can not contain these characters : ‹ › ' "

NBank

User ID has to contain special characters, password may not contain (basically) any special characters.

Oracle

Should not or must not? RFC 2119 may want a word with you.

Origin

Password must be between 8 and 16 characters long

PagoMisCuentas

Password must be between 8 and 15 alphanumeric characters, and have at least one uppercase and one lowercase letter.

Parnassus Investments

A site responsible for protecting your investments limiting you to a four character range with a bunch of other stupid rules? Shocking.

PayPal

We'll tell you not to use your name as your password, but we won't tell you how we restrict your password choice otherwise.

Paytm

Password must be between 5 and 15 characters. Also, spaces don't count as characters.

PizzaHut

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

Raiffeisen Bank Serbia

There are a couple of password limitations when creating a new account on Raiffeisen Bank Serbia on-line banking portal. Password length is limited to minimum 8 and maximum 16 characters. Also, minimum uppercase letters 1, minimum lowercase letter 1, minimum digits 2, maximum consecutive identical characters 4 and first character must be a letter. Oh... And, no special characters!

Red Hat

Symbols. You keep using that word. I don't think it means what you think it means.

Rediff

A maximum password length of 12. The hidden requirements are:

atleast 1 uppercase letter
atleast 1 lowercase letter
atleast 1 numeric character
atleast 1 special symbol (which can not be ^, %)

Roll 20

Your new password must be at least 4 characters long and no longer than 40 characters. Your password was not changed.

Rushmore Loan Management Services

Hmmm.. why are they afraid of double and single quotes in my passwords?

SAP Cloud Appliance Library

Passwords between 8 and 9 characters are the best.

Scandinavian Airlines

The password rules itself is fine, but, it doesn't inform about the max length of the password. Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it. In this case, I changed my password to Super_l0ng_password_that_fits_all_criteria, and could login with Super_l0ng_pas

Answer form SAS customer service:

> Hi,
> Thank you for your e-mail.
> Our website only takes 14 characters as a password, so somehow when you registered > it took all 49.
> But since our website only asks for 14 characters anything after will be valid.
> I would advice you to change your password.
> Have a wonderful day.

Safeway

Passwords limited to 8-12 characters.

Singapore Airlines

/\d{6}/

Sky Ticket

Sky is a german pay-TV provider with over 23 million subscribed users worldwide. They also have an online streaming service called "Sky Ticket".

You can only set a 4 digit long PIN with no option for two-factor authentication or any additional security mechanisms.

Slovenska sporitelna

Slovenska sporitelna is the biggest bank in Slovakia. Despite pretty new version of the internet banking (rolled out in 2018), their password policy restricts password to be 16 characters long at most and prohibits any special characters.

Sparkasse

„Sparkasse“ is a group of banks which is pretty popular in Germany. It calls its passwords „PIN“ („persönliche Identifikations-Nummer“ — personal identification number), the rules are pretty horrific and its not even a number, even though it is called as such! Here is a screenshot from the branch where I am from (Jena, Germany), but since they have a central IT, I think it will be identical in other branches:

The rules are as such:

Only 5 characters
Small letters (a-z)
Large letters (A-Z)
Numbers (0-9)
„Special“ characters: ä,ö,ü,Ä,Ö,Ü and ß (Not suprising for a german Company)

After the rules there some hints on how the password should not look like:

Combinations of your initials and the birthyear
Your phone number or parts thereof
Your zipcode
Commom combinations like 123ab or 55555
Full or parts of your login credentials

Sprint

Sprint "upgraded" their security and disallow special characters.

State Bank of India (Foreign Travel Card)

State Bank of India is the largest government operated bank in India. They offer "travel" prepaid cards for foreign currencies, this is for their portal for the prepaid card users to manage their account.

Your password must:

Be between 8 and 9 characters long
Contain at least 1 lowercase character
Contain at least 1 uppercase character
Contain at least 1 special character
Contain at least 1 number
NOT contain any "hacking characters" - #, %, &, =, /, <

Synchrony Financial

Financial services - where we don't allow you to create the strongest password possible.

T-Mobile

We prefer to not tell you which characters you can use up front.

Techcombank

Your password must:

Be between 6 and 8 characters long
Contains at least 1 number character
Contains at least 1 lowercase character
Contains at least 1 uppercase character
Neither space nor unicode character is allowed. In fact, NO special characters is allowed
Must be changed every 90 days

Telekom/T-Systems MyWorkplace

Telekom's MyWorkplace is a Single Sign On / login hub for their Open Telekom Cloud which is basically an Amazon AWS clone. It's rather new and especially for business customers. Especially because it is for business customers, there's absolutely no reason to limit a password to 16 characters. Even special characters are limited to a certain set.

Ticketmaster.de

Your password length is limited between 8 and 32 characters.

Trade Me

Won't allow spaces or single quotes. Maybe other characters as well - they do not say up front - but the password they accepted contained lots of other special characters.

TreasuryDirect

Will allow most passwords longer than 8 characters. Doesn't tell you there is a maximum length of 16 characters. Then forces you to type it with an on-screen keyboard with no capital letters.

TwinSpires

You can gamble on our site. We'll keep your money secure with a 12 character password!

Ubisoft

Only tells you the rules after submitting and clicking a link to a pop up window.

United States Postal Service

Pick from an arbitrary list of symbols, and no repeating characters.

University of California San Diego

Passwords must be between 8 and 11 characters long!

University of Texas at Austin

Because of the last two rules, which ban dictionary words and any variants using symbol substitutions, neither of the passwords presented in the xkcd comic are allowed.

University of Windsor

The password policy applies to alumni as well. Must be at least 10 characters long, with at least 1 upper case and 1 lower case character, at least 1 number, at least 1 special character. Password expires every 120 days, and you can't reuse an old one.

USAA Bank

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.

URSSAF (French employers tax collection service)

When setting a new password: Password must be exactly 8 characters, at least 1 letter, at least 1 number, but no special characters.

Vancity Credit Union

Personal Access Code (or PAC–they are too ashamed to call it a password), must be between 5 to 8 digits and cannot start with '0'. (no letters or symbols)

Very.co.uk

Password field allows only the listed Special Characters ($ . , ! % ^ *). You're also forced to use both upper, and lower letters, as well as a number.

Vietnam Airlines

[[:alnum:]]{6,8}

Vio Bank

The password requirement is not even fully enumerated. Upon inspection of the source code, the following lines were found, hidden by javascript: "Must include at least %MINSPECIAL of the following characters:-.~!@#&_{}|:$%^*()=[];?/+"

The actual list of special characters that are prohibited is correctly enumerated there. It's a result of a misapplication of the variable allowedSpecialCharacters found here.

It took under 5 minutes to find the bug after looking at the source for the first time. This is a bank.