Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
Passwords that must contain a special character, but only from a list of three special characters.
Passwords that must be changed every 3 months.
Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.
All dictionary words were banned from being in a password regardless of length, so passphrases weren’t allowed.
I’ve definitely had one that was 8-12 characters before…
I redid one of mine yesterday; 3-months, exactly 8 characters, must use a symbol from the three approved ones (#$@).
I hate it, I wish they’d abandon that system or change the encryption requirement to match our other systems that use our physical badges.
Edit: it’s really dumb around the holidays, too. We’re off for Thanksgiving, Christmas and New Years so I really only got a few weeks out of that last one.
It’s always quote unquote fun finding out what words are and are not in their dictionary. I got by using a bunch of nerd words, but apparently Aragorn is not allowed.
The oddest I’ve ever encountered: EXACTLY 15 characters long. No more, no fewer. 15.
Honorable mention: Various online accounts where I used my password manager to generate a long, secure password, which the website accepted without warning or error. I was then locked out because their user management system could not handle such long passwords (had to create a second account with a much shorter password to find that out) 🤣
A university I worked at had a similar policy to the first one.
They wanted a single username and sign on across all IT systems but also had some really old legacy systems that didn’t support long passwords.
So they’d force everyone to use passwords that were exactly as long as the maximum legacy password length.
For me, the worst system is the Microsoft authenticator which locks me out my account for five minutes if my fingerprint doesn’t match the first time I try.
The first one is absurd. The second one is straight up messed up.
My old bank required you to have a password 12 characters long exactly, and to login you have to give the characters in specific places.
I would ask you what are the 4th, 7th, and 11th letters of your password.
Anyone want to guess why that aren’t my bank anymore?
Not sure if it falls under the same category, but the way Activision handles (handled? I haven’t used them since) passwords was atrocious! I had to reset my password to get back into my account, I used a random diceware password, it accepted it. However! The client on both Windows and Xbox wouldn’t let you input a password longer than I believe 20 characters. So while you can set a 25 character password, you can go fuck yourself if you actually wanna log in…
Stupid bank app doesn’t allow password managers… and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.
you get an error message
The person responsible for that specific behavior is a psychopath.
Here’s how to improve it:
Make you have to mouse click the button. However, it has to be a right click. Specifically, a right double-click.
DOUBLE RIGHT-CLICK THE BUTTON?!? ARE YOU MAD?!?
There are more things in Heaven and Hell then are dreamt of in your philosophy. This one specifically is from Hell.
I wonder if blind folk could even use that website then.
12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That’s FedEx.
Two other thoughts on the topic:
- Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
- There are plenty of websites where I literally log in only by using the “forgot password” flow because their password requirements are so ridiculous.
By far the worst is the costa rican national bank:
- Must be between 8 and 16 characters long
- Must have at least 4 letters and 4 numbers
- Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
- Can’t have vowels or Ñ
- Must not be one of your last 6 passwords
- Must be changed every 90 days
- Also forgot that their website and app try to block password managers and copy and paste
I was reading along like, that’s dumb but at least I could craft something in my password man-… Oh… oh no…
A company I used to work for is big enough that everyone reading this has heard of it. They had this wonderful security nightmare going on:
When you were hired, the company would issue your user credential with a standard password that was “CompanyName1” and require you to immediately change it at first logon. Everyone knew this password because everyone got it when they were hired.
Password policy required everyone to reset their password every 60 days. Not the worst ever but still pretty aggressive. And with the rise of all the mobile devices connecting with your corp account it was getting to be a worse and worse experience.
Can you guess yet how these two policies are linked in my story?
Well, some of the C-Suite executives didn’t have time for any of these security shenanigans. So they would have their executive support person log into an administrative console and reset the exec’s password every 59 days to the same value that it currently had, thereby bypassing the password re-use filter.
That value they were continuously setting was… “CompanyName1”
I know of at least two executives that were doing this while I worked there.
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them “If you don’t understand this, it’s fine, but then give it to the person responsible for your IT and security, they should know how to deal with this.”
Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes’ account there.
My bank had a limit of six characters, for the customer facing login. Oops.
Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)
When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.
I then contacted the support, and they did manage to reset the second password anyway. (What is this even)
The Catholic Church is doing great with its two popes.
I had to log back into an account for an app (I think Taco Bell) that decided to remove passwords entirely without any notice. You typed in your email address, had to open your email account and click a link they sent you, it would open a webpage, which would then have a button to open the app again. If I remember correctly too, it would only work on Chrome, so I had to copy and paste the link since Chrome isn’t my default browser that automatically opens from my mobile email.
Besides that, I remember some website required a special character from an extremely small list and wouldn’t allow two of the same letter back-to-back.
Anything that requires regular password resets. It’s fine if it’s changed on the site and in the user’s vault automatically, but if a user has to type in their password with any sort of regularity, it’s a recipe for disaster to require regular changes.
People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).
There was an episode of Elementary where they were able to find the victims password on a post-it note, because the company requires a new password every month and he didn’t want to remember a new one that often.
It’s the worst when they do that and have difficult restrictions on passwords.
One place I worked at had limits like “no more than two letters back-to-back”, “no more than two numbers back-to-back and no sequential numbers”.
The rules were available on the password reset screen.
The minimum was only something like 8 characters, so I have to wonder how many people had a1b2c3d? for a password.
Feed those rules to a password cracker and it’d be able to get in easily.
To their credit, I think they did support passwords that were maybe 64 characters long. But after they introduced those weird requirements (probably because some VIPs had stupid passwords like their names + birth year?), I just started hitting the character minimum because I’d have to manually type it in at least once.
I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).
More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.
One special character.
Seems logic right? Until you get that it is one and one only. Took me some time.
Most absurd was from a job I had in college. This was the password to log into an ancient dumb terminal (literally a monochrome black and green display) on a local-only network that only handled our time clock.
Requirements:
- 8 characters exactly
- You supply the first 4, the system generated the last 4
- I can’t remember if it allowed numbers, but there were definitely no special characters and I think it was also case-insensitive
Required to change password every 30 days.