Dumb Password Rules

Shaming sites with dumb password rules.

Contributing

Feel free to submit a pull request with dumb rules you've encountered.

See other sites for the formatting and follow these rules:

Include the name of the site with a link.
Add a clean comment about the dumb password rule (optional).
Include at least one screenshot.
Keep the sites in alphabetical order.

Sites

American Express

Sometimes I forget that caps-lock is on, glad it doesn't matter.

AmeriHealth

Their site says "All information is kept safe and secure." Just not as secure as you'd like.

User Password must be between 6 and 14 characters and contain 1 numerical value.

Arlo

Your password contains characters not listed. Therefore, they do not match.

8 to 15 chars. No special chars allowed but requires special chars. Also requires lowercase, uppercase, and numbers. Consecutive chars are prohibited. Did I mention the page hangs while you type? That eye icon tho.

Best Buy

You can enter whatever password you like! But you probably don't want to make it too long, because you'll break us and you'll never be able to login again.

Blacknight / Odin

The auto-generated strong password is not a valid password ! Blacknight use Odin for it's admin panel.

Blue Cross Blue Shield Massachusetts

16 maximum and no special characters. Protecting your US healthcare information.

BMO Bank of Montreal

Password must be exactly 6 characters long and no special character.

Chase Bank

We don't even want you to login online.

Comcast

Your password should be difficult to guess as long as it's not over 16 characters long.

El Corte Ingles

Min 6 and max 8 characters for password! Can't contain anything different than letters and numbers. Apart, the email address must have at least 8 characters (sorry million dollar domain owners! :D)

Fidelity

No more than 20 characters and leave out characters commonly used by programmers. We don't want you to hack the mainframe.

Global Entry

"Our duties are wide-ranging, and our goal is clear - keeping America safe."

GoDaddy

Some characters are too special.

Her Majestys Revenue & Customs (UK Tax)

We store basically all of your data, but we can't store your password.

Intel

Izly by Crous

Izly by Crous is an imposed French payment service for the university. You can't pay your daily meal without that because yeah you know cash is an ancient dumb thing.

Your username is firstname.lastname@youruniversity.fr or your phone number. We only allow you a fixed 6 numbers password. Oh yeah we also block your account after three failed atempts. How convenient when the only thing you need to know is the name of someone and where they study. How convenient indeed.

Oh and also look we got pages NOT TRANSLATED IN FRENCH because duh.

Mindware

You "may use special characters", but only some of them - and we won't necessarily tell you which ones.

Movistar

Min 7 and max 8 characters for password! Also to be different than the username: the user name is automatically generated and is based on the surname of the user with some characters replaced by digits :)

Has been that way for more than 10 years.

PayPal

We'll tell you not to use your name as your password, but we won't tell you how we restrict your password choice otherwise.

SAP Cloud Appliance Library

Passwords between 8 and 9 characters are the best.

Singapore Airlines

/\d{6}/

Sparkasse

„Sparkasse“ is a group of banks which is pretty popular in Germany. It calls its passwords „PIN“ („persönliche Identifikations-Nummer“ — personal identification number), the rules are pretty horrific and its not even a number, even though it is called as such! Here is a screenshot from the branch where I am from (Jena, Germany), but since they have a central IT, I think it will be identical in other branches: