Dumb Password Rules
Shaming sites with dumb password rules.
Contributing
Feel free to submit a pull request with dumb rules you've encountered.
See other sites for the formatting and follow these rules:
- Include the name of the site with a link.
- Add a clean comment about the dumb password rule (optional).
- Include at least one screenshot.
- Keep the sites in alphabetical order.
Sites
Table of contents
- Admiral
- ADP
- Advanzia
- American Express
- AmeriHealth
- AOL
- Arlo
- Banco Mercantil
- Battle.net
- Best Buy
- Blacknight / Odin
- Blackrock
- Blue Cross Blue Shield Massachusetts
- BMO Bank of Montreal
- BMW ConnectedDrive
- California Department of Motor Vehicles
- Chase Bank
- Comcast
- Copyright.gov
- Dell
- Delta
- DJI
- Dutch Tax Authorities (Belastingdienst)
- El Corte Ingles
- E-learning (Unipd)
- Fidelity
- Global Entry
- GoDaddy
- GoDaddy SFTP
- Her Majestys Revenue & Customs (UK Tax)
- ING a dutch bank in almost 50 countries
- Intel
- Izly by Crous
- Jitterbit
- Maxpreps
- Merrill Lynch
- Major League Baseball
- MetLife
- Microsoft (work accounts)
- Mindware
- MKB NetBankár
- Movistar
- Oracle
- PayPal
- Paytm
- Raiffeisen Bank Serbia
- Red Hat
- SAP Cloud Appliance Library
- Safeway
- Singapore Airlines
- Sparkasse
- Sprint
- State Bank of India (Foreign Travel Card)
- Synchrony Financial
- Ticketmaster.de
- TwinSpires
- Ubisoft
- United States Postal Service
- University of Texas at Austin
- Virgin Media
- Virgin Mobile
- Virgin Trains
- Walmart
- WeatherBug
- Wells Fargo
- Williams-Sonoma
- Wells Fargo Identity Theft Protection
Admiral
Restrict the inclusion of a % character.
ADP
Forced to change the password during the first login. At least they could use proper grammar in their rule list.
Advanzia
- Requires at least 6 to a maximum of 12 characters [sic!]
- Allows only digits and letters without umlauts
- Allows only specific special characters: ? ! $ €% & * _ = - +. ,:; / () {} [] ~ @ #
- Allows no spaces
American Express
Sometimes I forget that caps-lock is on, glad it doesn't matter.
AmeriHealth
Their site says "All information is kept safe and secure." Just not as secure as you'd like.
User Password must be between 6 and 14 characters and contain 1 numerical value.
AOL
Between 8 and 16, so I can't go up to 20. Oh, and thanks for restricting one of the most common special characters!
Arlo
Your password contains characters not listed. Therefore, they do not match.
Banco Mercantil
8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.
Battle.net
8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too.
A real time travel adventure through the password rules of 2005!
Best Buy
You can enter whatever password you like! But you probably don't want to make it too long, because you'll break us and you'll never be able to login again.
Blacknight / Odin
Blackrock
They force you to enter a password that has 8, 9, or 10 characters, then they lecture you on how to create a strong password.
Blue Cross Blue Shield Massachusetts
16 maximum and no special characters. Protecting your US healthcare information.
BMO Bank of Montreal
Password must be exactly 6 characters long and no special character.
BMW ConnectedDrive
Although the prompt suggests good things, after many failed attempts to set a new password, it turns out you can ONLY use the special characters shown in the prompt
California Department of Motor Vehicles
They also prohibit pasting into the password field by using a JavaScript
alert()
whenever you right-click or press the Ctrl
button, so
you can't use a password manager.
Chase Bank
We don't even want you to login online.
Comcast
Your password should be difficult to guess as long as it's not over 16 characters long.
Copyright.gov
I wonder if they cooperate with NSA to enforce the password rules.
Dell
Okay at least 6, that's alright i guess. Oh at least one number and one letter, bit dumb but hey not that dumb.
But hiding the fact that it has a max of 20, now THAT is dumb!
Delta
It's a good thing they don't store personal information such as your passport number... oh wait.
DJI
The symbol \ is banned without a notice, it'll probably escape whatever you'll put in, just why...
Dutch Tax Authorities (Belastingdienst)
At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password. No more than 3 of the same characters. At least 1 upper case and 4 lower case characters. No more than 3 special characters.
It's not like hashing passwords is a thing or something.
El Corte Ingles
Min 6 and max 8 characters for password! Can't contain anything different than letters and numbers. Apart, the email address must have at least 8 characters (sorry million dollar domain owners! :D)
E-learning (Unipd)
Exactly 8 characters for password! There must be at least 1 lowercase letter, at least 1 uppercase letter, at least 1 number and at least 1 special char ( * , . $ # @ etc...).
Fidelity
No more than 20 characters and leave out characters commonly used by programmers. We don't want you to hack the mainframe.
Global Entry
"Our duties are wide-ranging, and our goal is clear - keeping America safe."
GoDaddy
Some characters are too special.
GoDaddy SFTP
Max 14 characters for the most important password in your shared hosting environment.
Her Majestys Revenue & Customs (UK Tax)
We store basically all of your data, but we can't store your password.
ING a dutch bank in almost 50 countries
Max 20 characters, must have one number, one upper case character and one lower case character. You can only use certain special characters. When i asked about it they answer that it's really hard to change it. When i asked if the password is saved as a hash or just plain they send the answer to the technical department this was march 2018.
Intel
Izly by Crous
Izly by Crous is an imposed French payment service for the university. You can't pay your daily meal without that because yeah you know cash is an ancient dumb thing.
Your username is firstname.lastname@youruniversity.fr or your phone number. We only allow you a fixed 6 numbers password. Oh yeah we also block your account after three failed atempts. How convenient when the only thing you need to know is the name of someone and where they study. How convenient indeed.
Oh and also look we got pages NOT TRANSLATED IN FRENCH because duh.
Jitterbit
While not the dumbest password rule, still dumb.
Password must have a length of at least eight characters and contain
at least one: number, special char !#$%-_=+<>
, capital letter,
and lowercase letter.
Maxpreps
- Natalie Weiner
- can't sign in because her's lastname is offensive language for the website
Merrill Lynch
Passwords must be between 8 and 20 characters, and some special characters are allowed. Users with randomly-generated passwords may find it particularly annoying to generate a password that works for their password safe.
Major League Baseball
When creating a new account they enforce some password rules like: length must be between 8 and 15 characters and there must be one upper case, one lower case letter and one number.
MetLife
Max length of 20 characters, no special characters allowed. Pasting into the second password field is disabled even with the Chrome extension Don't Fuck With Paste.
Microsoft (work accounts)
What doesn't seem to be a problem for personal accounts, is for work accounts from Microsoft (e.g. Office 365 etc.).
Maximum 16 characters. So forget about using your new fancy diceware password here - or really any secure passwords in general.
Oh - and besides that, please don't use any "exotic" symbols, like ¤ or €. Or the letters Æ, Ø or Å from the Danish alphabet. They all are supposedly "spaces".
Mindware
You "may use special characters", but only some of them - and we won't necessarily tell you which ones.
MKB NetBankár
Movistar
Min 7 and max 8 characters for password! Also to be different than the username: the user name is automatically generated and is based on the surname of the user with some characters replaced by digits :)
Has been that way for more than 10 years.
Oracle
Should not or must not? RFC 2119 may want a word with you.
PayPal
We'll tell you not to use your name as your password, but we won't tell you how we restrict your password choice otherwise.
Paytm
Password must be between 5 and 15 characters. Also, spaces don't count as characters.
Raiffeisen Bank Serbia
There are a couple of password limitations when creating a new account on Raiffeisen Bank Serbia on-line banking portal. Password length is limited to minimum 8 and maximum 16 characters. Also, minimum uppercase letters 1, minimum lowercase letter 1, minimum digits 2, maximum consecutive identical characters 4 and first character must be a letter. Oh... And, no special characters!
Red Hat
Symbols. You keep using that word. I don't think it means what you think it means.
SAP Cloud Appliance Library
Passwords between 8 and 9 characters are the best.
Safeway
Passwords limited to 8-12 characters.
Singapore Airlines
/\d{6}/
Sparkasse
„Sparkasse“ is a group of banks which is pretty popular in Germany. It calls its passwords „PIN“ („persönliche Identifikations-Nummer“ — personal identification number), the rules are pretty horrific and its not even a number, even though it is called as such! Here is a screenshot from the branch where I am from (Jena, Germany), but since they have a central IT, I think it will be identical in other branches:
The rules are as such:
- Only 5 characters
- Small letters (a-z)
- Large letters (A-Z)
- Numbers (0-9)
- „Special“ characters: ä,ö,ü,Ä,Ö,Ü and ß (Not suprising for a german Company)
After the rules there some hints on how the password should not look like:
- Combinations of your initials and the birthyear
- Your phone number or parts thereof
- Your zipcode
- Commom combinations like 123ab or 55555
- Full or parts of your login credentials
Sprint
Sprint "upgraded" their security and disallow special characters.
State Bank of India (Foreign Travel Card)
State Bank of India is the largest government operated bank in India. They offer "travel" prepaid cards for foreign currencies, this is for their portal for the prepaid card users to manage their account.
Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase character
- Contain at least 1 uppercase character
- Contain at least 1 special character
- Contain at least 1 number
- NOT contain any "hacking characters" - #, %, &, =, /, <
Synchrony Financial
Financial services - where we don't allow you to create the strongest password possible.
Ticketmaster.de
Your password length is limited between 5 and 20 characters.
TwinSpires
You can gamble on our site. We'll keep your money secure with a 12 character password!
Ubisoft
Only tells you the rules after submitting and clicking a link to a pop up window.
United States Postal Service
Pick from an arbitrary list of symbols, and no repeating characters.
University of Texas at Austin
Because of the last two rules, which ban dictionary words and any variants using symbol substitutions, neither of the passwords presented in the xkcd comic are allowed.
Virgin Media
Your password needs to be between 8 and 10 characters long, with no spaces, and must contain only numbers and letters. The first character must be a letter.
Virgin Mobile
You can only use PIN as your password.
Virgin Trains
Your password needs to be between 8 and 10 characters long. Previously this would silently truncate the password without warning, causing confusion when the password wouldn't work.
Walmart
Your password length is limited between 6 and 12 characters.
WeatherBug
Maximum 16 characters.
Wells Fargo
Your password must be between 6 and 14 characters.
Williams-Sonoma
25 maximum characters and disallowing some specials.
Wells Fargo Identity Theft Protection
Your password on an Identity Theft Protection service is limited to between 8 and 20 characters. Your username is allowed to be longer than your password.