Obligatory link to neal.fun password-game

My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).

I had to log back into an account for an app (I think Taco Bell) that decided to remove passwords entirely without any notice. You typed in your email address, had to open your email account and click a link they sent you, it would open a webpage, which would then have a button to open the app again. If I remember correctly too, it would only work on Chrome, so I had to copy and paste the link since Chrome isn’t my default browser that automatically opens from my mobile email.

Besides that, I remember some website required a special character from an extremely small list and wouldn’t allow two of the same letter back-to-back.

Stupid bank app doesn’t allow password managers… and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.

My work was using some MS-based account system, but I don’t know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn’t meet the password requirements, as usual. What it wouldn’t tell you was what those requirements were…

So yeah, the requirements the system won’t tell you about would have to be the worst one i came across…

Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)

When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.

I then contacted the support, and they did manage to reset the second password anyway. (What is this even)

Not so much password requirements as just a completely removed implementation:

To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.

I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd

So she asked me to check that system for more issues

Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…

This is a tip of a very big iceberg there

One special character.

Seems logic right? Until you get that it is one and one only. Took me some time.

I add to make a password last fall that had the requirement “numerals or special characters”. A password with both numerals and special characters wouldn’t work.

Passwords that must contain a special character, but only from a list of three special characters.

Passwords that must be changed every 3 months.

Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.

All dictionary words were banned from being in a password regardless of length, so passphrases weren’t allowed.

Six numbers only.

1. There was the multi user operating system in the 1990s that required every user to have a unique password. We were young and innocent then and used common English words. Upon changing your password, it would check your new password against all other users. An error like

That password is already used by johnp. Please choose another password.

was not uncommon.

2. When I started using a password manager, I got keen and changed my passwords to 64 random characters. My bank would change this to uppercase, delete special characters, and save the first 8 characters of what was left. So when I logged in, it would compare the 64 character password I entered to the converted 8 character password that they saved, and find that they were different. (I found this out when I rang and complained, and they told me my password over the phone … 😱). They don’t do that any more.

My community colleges:

Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.

Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.

Not allowing you to paste a password, so you have to type it manually every time.

Password needs one special character.
Not at least one. Exactly one.