By far the worst is the costa rican national bank:

• Must be between 8 and 16 characters long
• Must have at least 4 letters and 4 numbers
• Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
• Can’t have vowels or Ñ
• Must not be one of your last 6 passwords
• Must be changed every 90 days
• Also forgot that their website and app try to block password managers and copy and paste

Obligatory link to neal.fun password-game

Six numbers only.

My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).

I had to log back into an account for an app (I think Taco Bell) that decided to remove passwords entirely without any notice. You typed in your email address, had to open your email account and click a link they sent you, it would open a webpage, which would then have a button to open the app again. If I remember correctly too, it would only work on Chrome, so I had to copy and paste the link since Chrome isn’t my default browser that automatically opens from my mobile email.

Besides that, I remember some website required a special character from an extremely small list and wouldn’t allow two of the same letter back-to-back.

Not sure if it falls under the same category, but the way Activision handles (handled? I haven’t used them since) passwords was atrocious! I had to reset my password to get back into my account, I used a random diceware password, it accepted it. However! The client on both Windows and Xbox wouldn’t let you input a password longer than I believe 20 characters. So while you can set a 25 character password, you can go fuck yourself if you actually wanna log in…

My work was using some MS-based account system, but I don’t know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn’t meet the password requirements, as usual. What it wouldn’t tell you was what those requirements were…

So yeah, the requirements the system won’t tell you about would have to be the worst one i came across…

Stupid bank app doesn’t allow password managers… and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.

One special character.

Seems logic right? Until you get that it is one and one only. Took me some time.

I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).

More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.

Max length of something under 18 …

Irks my gears

Any service that says I must have a 12 or 14 string password, combined with symbols, numbers and letters.

Do you know why, I have to keep resetting my password, services that have this dumb requirement? Because your fucking requirements are absurd and unnecessary. I don’t have the mental capacity to care to remember that long of a password. I have to have a document now of all of the passwords I have so it’s not forgotten. I have to have browsers autofill for me because of this shit.

In a perfect world, 6 - 8 string passwords would suffice and lots of emphasis on symbols and numbers at the very least. The longer you try making the characters of a password, the chances of forgetting increases.

Flickr does this. Some of the portals to my apartment portal does this. Portals to some of my medical information does this. It’s fucking bullshit. StateFarm does this too.

I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it’s something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get “hacked”, which is usually just another student logging into their account and deleting their assignments.

Password needs one special character.
Not at least one. Exactly one.

I hate any password requirement that says “special characters” but has a list of exceptions, like no . , ! ; or empty spaces. Just tell the user to make a passphrase, enforce at least one empty space and, dunno, 25 characters minimum, and bam. It’s not like hackers try brute force anymore, they just hack insecure DBs full of user data and use that everywhere.