tonuonu / dumb-password-rules

Dumb Password Rules
===================

Shaming sites with dumb password rules.

Contributing
------------

Feel free to submit a pull request with dumb rules you've encountered.

See other sites for the formatting and follow these rules:

-  Include the name of the site with a link.
-  Add a clean comment about the dumb password rule (optional).
-  Include at least one screenshot.
-  Keep the sites in alphabetical order.

Sites
-----
-----------------
Table of contents
-----------------
.. contents::
   :local:


`Admiral <https://myaccount.admiral.com/login>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Restrict the inclusion of a % character.

|Admiral|

`ADP <https://login.adp.nl/selfservice/private/passchange/#/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Forced to change the password during the first login. At least they
could use proper grammar in their rule list.

|ADP|

`Advanzia <https://mein.advanzia.com/icc/assisto/nav/f96/f963b01b-043c-a21a-72e5-fd2ce0f2d5a2.htm#Sicherheit>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Requires at least 6 to a maximum of 12 characters [sic!]
- Allows only digits and letters without umlauts
- Allows only specific special characters: ? ! $ €% & * _ = - +. ,:; / () {} [] ~ @ #
- Allows no spaces

|Advanzia|

`Air France <https://www.airfrance.fr/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Between 8 to 12 characters
- Should contain capital, lowercase letters and numbers

|Air France|

`Aigües de Barcelona <https://www.aiguesdebarcelona.cat/oficinaenxarxa/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Between 6 to 10 characters
- Only letters and numbers, without spaces

|Aigues de Barcelona|

`American Express <https://sso.americanexpress.com/SSO/request?request_type=un_createid&ssolang=en_NL&inav=at_sitefooter_register>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sometimes I forget that caps-lock is on, glad it doesn't matter.

|American Express|

`Ameli.fr (French national health insurance) <https://www.ameli.fr/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This was very painful to find a password that works with this one and that I can actually remember (I ended-up using my bank-account number because everything else failed). It took me maybe one hour and I thought I would become crazy (and yes, the session expires frequently while you are actually thinking about a password).

- The password must be more than 8 characters
- But you cannot use more than 13 characters
- You can only use digits
- You cannot use your birthdate or your login
- You cannot use a sequence of digits (if your password happens to contain 56 or 89 it will be rejected)
- You cannot repeat the same character (if your password contains 22 or 55 it will be rejected)

|ameli.fr|


`AmeriHealth <https://www.amerihealth.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Their site says "*All information is kept safe and secure.*" Just not as
secure as you'd like.

    User Password must be between 6 and 14 characters and contain 1
    numerical value.

|AmeriHealth|


`AmiAmi <https://www.amiami.com/eng/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

|AmiAmi|

`ANZ Bank <https://anz.com.au/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password needs to be between 8 and 16 characters long - no special characters allowed.

|ANZBank|

`AOL <https://aol.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~

Between 8 and 16, so I can't go up to 20. Oh, and thanks for restricting
one of the most common special characters!

|AOL|

`Apple <https://apple.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~

Can't contain 3 or more consecutive identical characters.

|Apple|

`Arbeitnehmeronline <https://www.arbeitnehmeronline.de>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Service for managing employment documents of the German company Datev.

Only the following character categories are allowed: Letters, numbers and this special charaters set: !#$%&()*+,-./:;<=>?@[\]^_`{|}~äöüßÄÖÜ

|Arbeitnehmeronline|

`Arlo <https://arlo.netgear.com/?passwordResetCode>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password contains characters not listed. Therefore, they do not
match.

|Arlo|

`AT&T <https://www.att.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The only special characters allowed are underscores and hyphens.

|ATT|

`Banco Mercantil <https://www.mercantilbanco.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8 to 15 chars. No special chars allowed but requires special chars. Also
requires lowercase, uppercase, and numbers. Consecutive chars are
prohibited. Did I mention the page hangs while you type? That eye icon
tho.

|Banco Mercantil|

`Bank Millennium <https://www.bankmillennium.pl/osobiste2/Retail/Login/MulticodeRequest>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords limited to 8 digits.

|Bank Millennium|

`Battle.net <https://eu.battle.net/account/creation/en-us/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.

A real time travel adventure through the password rules of 2005!

|Battle.net|

`BBVA <https://web.bbva.es/public.html?v=20190510#public/hazte-cliente>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only.

For a bank account with all your money in one of the largest financial institutions in the world.

|BBVA|

`Bendigo Bank <https://banking.bendigobank.com.au/Logon/passwd.page>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

**Exactly** eight characters.

|Bendigo Bank|

`BDO <https://www.bdo.com.ph/personal>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please nominate a password which contains UPPERCASE, lowercase, numbers and symbols.
Password should not be the same as the user ID.
Avoid using consecutive characters such (ex. abc, DEF, 678) and invalid characters such as [!#$%^&';"].

|BDO|

`Best Buy <https://www-ssl.bestbuy.com/identity/changePassword>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can enter whatever password you like! But you probably don't want to
make it too long, because you'll break us and you'll never be able to
login again.

| |Best Buy|
| |Best Buy2|

`Blackrock <https://nge01.bnymellon.com/NextGenV4/dflt/Login.blk>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

They force you to enter a password that has 8, 9, or 10 characters, then
they lecture you on how to create a strong password.

|Blackrock|

`Blue Cross Blue Shield Massachusetts <https://www.bluecrossma.com/wps/portal/register>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

16 maximum and no special characters. Protecting your US healthcare
information.

|Blue Cross Blue Shield Massachusetts|

`BMO Bank of Montreal <https://www12.bmo.com/onlinebanking/OLB/ppr/cmp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password must be exactly 6 characters long and no special character.

|BMO Bank of Montreal|

`BMW ConnectedDrive <https://www.bmw-connecteddrive.co.uk/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

|BMW ConnectedDrive|

`Boursorama <https://www.boursorama.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"To ensure the highest level of security, your password must
have... 8 digits". And it must be entered using a funny keypad
with the digits in the wrong order.

|Boursorama|

`California Department of Motor Vehicles <https://www.dmv.ca.gov/FIM/sps/uscfed/usc/self/account/create>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

They also prohibit pasting into the password field by using a JavaScript
``alert()`` whenever you right-click or press the ``Ctrl`` button, so
you can't use a password manager.

|California DMV|


`CenturyLink <https://eam.centurylink.com/eam/login.do>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

So many bad ideas: a low maximum length, requiring six specific character types while not accepting common symbols,
plus a weird restriction that makes random generation harder.

|CenturyLink|

`Charles Sturt University <https://www.csu.edu.au/division/dit/services/services/access-and-logins/password-management>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Prevents spaces and a set list of characters, limits to 30 characters and can only change your password twice per day.

|csu.edu.au|

`Chase Bank <https://secure01a.chase.com/web/auth/dashboard>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Can't use any special characters except ! # $ % + / = @ ~
* Max length restriction (32 characters).
* No runs of identical characters ("aaa") or sequential characters ("abc").
* Password check is case-insensitive

|Chase|

`Chegg <https://www.chegg.com/auth?action=signup>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here are the (only fairly poor) rules for a new password. Enter 64 character password that matches all the rules (notice no rules on maximum length). That password you entered looks good! But we didn't change it. And your old password doesn't work. Or the new one. ¯\\\_(ツ)\_/¯

|Chegg1|
|Chegg2|
|Chegg3|

`Canadian Imperial Bank of Commerce <https://www.cibconline.cibc.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Letters and numbers only, no symbols. Also an undocumented maximum of 12 characters!

|CIBC|

`Comcast <https://customer.xfinity.com/#/settings/security/xfinity-access/password>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password should be difficult to guess as long as it's not over 16
characters long.

|Comcast|

`Commsec <https://www2.commsec.com.au/selfservice/resetpassword>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Another financial institution with short password requirements. They also block pasting in to the field, making it a pain to use a password manager.

|Commsec|


`Copyright.gov <https://www.copyright.gov/eco/help-password-userid.html>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I wonder if they cooperate with NSA to enforce the password rules.

|Copyright.gov|

`DBS Bank (Singapore) <https://internet-banking.dbs.com.sg/IB/Welcome>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

``[[:digit:]]{6,8}``

|DBS|

`Dell <https://www.dell.com/Identity/global/LoginOrRegister>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Okay at least 6, that's alright i guess.
Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

|Dell|

`Deloitte GlobalAdvantage <http://www.ga.deloitte.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules that are completely arbitrary that basically make all safe passwords wrong,
instead forcing pseudo-safe password combinations.

|Deloitte GlobalAdvantage|

`Delta <https://www.delta.com/us/en/advisories/other-alerts/password-security>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It's a good thing they don't store personal information such as your passport number... oh wait.

|Delta|

`DJI <https://account.dji.com/register>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The symbol `\\` is banned without a notice, it'll probably escape whatever you'll put in, just why...

|DJI|

`Dutch Tax Authorities (Belastingdienst) <https://www.belastingdienst.nl/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password.
No more than 3 of the same characters.
At least 1 upper case and 4 lower case characters.
No more than 3 special characters.

It's not like hashing passwords is a thing or something.

|Dutch Tax Authorities|

`Easybank (Austrian direct bank) <https://www.easybank.at/de/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at least it's something)

|Easybank|

`Easyjet <https://www.easyjet.com/en>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No more than 20 characters, use any symbols you like... Oh except #, &, +, or space of course.

|Easyjet|

`El Corte Ingles <https://www.elcorteingles.es/profile2/profile/registration/registroCliente.jsp?tiendaId=moonshine&pag_regreso=www.elcorteingles.es>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Min 6 and max 8 characters for password! Can't contain anything
different than letters and numbers. Apart, the email address must have
at least 8 characters (sorry million dollar domain owners! :D)

|El Corte Ingles|

`E-learning (Unipd) <https://elearning.studenti.math.unipd.it/authenticate/change_password/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exactly 8 characters for password! There must be at least 1 lowercase
letter, at least 1 uppercase letter, at least 1 number and at least 1
*special* char ( \* , . $ # @ etc...).

|e-learning (Unipd)|

`Fidelity <https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No more than 20 characters and leave out characters commonly used by
programmers. We don't want you to hack the mainframe.

|Fidelity|


`Fidelity National Information Services <https://www.fisglobal.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

White label online banking provider. Typically appears as `BANK.ibanking-services.com` or `BANK.ebanking-services.com`. If your small local bank has a crappy online banking experience, these guys probably provide it.

``\<>'`` and spaces prohibited, upper bound. Passwords of exactly the maximum length are truncated by one character. Unlisted prohibited characters.

|FIS Global|

`EON <https://www.eonenergy.com/for-your-home/your-account/forgotten-password/non-link-reset/Reset>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By the time I'd finished reading the rules I've forgotten all of them.

|EON|

`Fundatec <http://www.fundatec.org.br/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Must be exactly 6 alphanumeric characters, does not show special characters are not allowed, username is your social security number (easily searchable) and the form is sent over plain HTTP. Did I mention this company applies college entrance exams for **Computer Science** nationwide in Brazil?

|Fundatec|

`Getin Bank <https://secure.getinbank.pl/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The new password should contain at least 10 and a maximum of 20 characters.
The password must contain at least one upper case letter, one lower case
letter and one number. The password cannot contain non-ASCII Polish alphabet
characters, special characters ``&<'"`` or spaces.

|Getin Bank|

`Global Entry <https://goes-app.cbp.dhs.gov/goes/PasswordChangePreAction.do>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"Our duties are wide-ranging, and our goal is clear - keeping America
safe."

|Global Entry|

`GoDaddy <https://www.godaddy.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some characters are **too** special.

|GoDaddy|

`GoDaddy SFTP <https://www.godaddy.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Max 14 characters for the most important password in your shared hosting environment.

|GoDaddy SFTP|

`Her Majesty’s Revenue & Customs (UK Tax) <https://www.tax.service.gov.uk/government-gateway-registration-frontend?accountType=individual&continue=%2Fpersonal-account%2Fdo-uplift&origin=unknown>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We store basically all of your data, but we can't store your password.

|Her Majesty’s Revenue & Customs|

`Hetzner <https://hetzner.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:

- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ? + # - . , ; : ~ * @ [ ] { } _ ° §

You can't use ``&<>'"\|´```, spaces and any other non-ascii character.

|Hetzner|


`ING a dutch bank in almost 50 countries <https://www.ing.nl/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Max 20 characters, must have one number, one upper case character and one lower case character.
You can only use certain special characters.
When i asked about it they answer that it's really hard to change it.
When i asked if the password is saved as a hash or just plain they send the answer to the technical department
this was march 2018.

|ING Bank|



`ING Australia <https://www.ing.com.au/securebanking/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4 numeric digits.
"Added security" by randomising the positions on the keypad. Must be clicked.

|ING Australia|


`ING Romania's Internet Banking Portal <https://www.homebank.ro/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

|ING Romania|


`Inria <https://vpn1-roc.national.inria.fr/+CSCOE+/logon.html>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the account for those who work at `Inria
<https://www.inria.fr/>` "the French national research institute for
the digital sciences".

You have to wonder what's wrong with these special characters but not
the other ones.

- Password expiration once a year
- Your password must contain at least 8 characters.
- Your password can't be a commonly used password.
- Your password can't be entirely numeric.
- Your password cannot contain non ascii chars
- Your password cannot contain ^ " ' space ; \ /
- Your password must contain at least 2 punctuation
- Your password must contain at least 1 uppercase
- Your password must contain at least 1 lowercase
- Your password cannot contain your login (or substring of login)
- Your password cannot contain your last name (or substring of last name)
- Your password cannot contain your first name (or substring of first name)

|Inria|


`Intel <https://www-ssl.intel.com/content/www/uk/en/my-intel/reseller-sign-in-help.html>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

|Intel|


`Izly by Crous <https://mon-espace.izly.fr/Home/Logon>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Izly by Crous is an **imposed** French payment service for the
university. You can't pay your daily meal without that because yeah you
know cash is an ancient dumb thing.

Your username is firstname.lastname@youruniversity.fr or your phone
number. We only allow you a fixed 6 numbers password. Oh yeah we also
block your account after three failed atempts. How convenient when the
only thing you need to know is the name of someone and where they study.
How convenient indeed.

Oh and also look we got pages **NOT TRANSLATED IN FRENCH** because duh.

|Izly by Crous|

`Lloyds Bank <https://online.lloydsbank.co.uk/personal/logon/login.jsp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Max 15 characters, min 8. You cannot use **ANY** special characters -
alpha-numerics only. This amazingly terrible password policy combines
with a known phrase (The "Memorable Information") of which you will be
asked for a random 3 characters of if you get your password right.
This phrase has similar alpha-numeric restrictions applied.

|Lloyds|

`Jitterbit <https://www.jitterbit.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

While not the dumbest password rule, still dumb.

    Password must have a length of at least eight characters and contain
    at least one: number, special char ``!#$%-_=+<>``, capital letter,
    and lowercase letter.

|Jitterbit|

`LibraryThing <https://www.librarything.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

"Your password cannot be longer than 20 characters"

|LibraryThing|

`Lowes <https://www.lowes.com/mylowes/login>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Be 8 to 12 characters in length
- Include at least 1 letter and 1 number
- Contain no spaces
- Contain no more than 3 of the same consecutive characters

|Lowes|

`Maxpreps <http://www.maxpreps.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
`Natalie Weiner <https://twitter.com/natalieweiner/status/1034533245839450113?s=19>`__
 can't sign in because her's lastname is offensive language for the website
|Maxpreps|

`ME Bank <https://ib.mebank.com.au/authR5/ib/login.jsp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Must be all numerals.
- Be 7 to 20 digits.
- Cannot have the same number three times in a row.
- Cannot have four ascending or descending numbers.
- Cannot have the same number appear more than five times.
- Cannot have pairs next to each other if the second pair is one number higher.
- Cannot be the same as 8 previous ones.

|ME Bank|

`Merrill Lynch <https://www.benefits.ml.com/Core/User/ChangePassword>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords must be between 8 and 20 characters, and some special
characters are allowed. Users with randomly-generated passwords may find
it particularly annoying to generate a password that works for their
password safe.

|Merrill Lynch|

`Major League Baseball <https://securea.mlb.com/enterworkflow.do?flowId=registration.connect.wizard&c_id=mlb&template=mobile&forwardUrl=https://www.mlb.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When creating a new account they enforce some password rules like: length must be
between 8 and 15 characters and there must be one upper case, one lower case letter
and one number.

|MLB|

`MetLife <https://online.metlife.com/edge/web/profile/viewProfile?show=profileSettings>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Max length of 20 characters, no special characters allowed.
Pasting into the second password field is disabled even with
the Chrome extension Don't Fuck With Paste.

|MetLife|

`Microsoft (work accounts) <https://account.activedirectory.windowsazure.com/ChangePassword.aspx>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What doesn't seem to be a problem for personal accounts, is for work
accounts from Microsoft (e.g. Office 365 etc.).

Maximum 16 characters. So forget about using your new fancy diceware
password here - or really any secure passwords in general.

Oh - and besides that, please don't use any "exotic" symbols, like ¤ or
€. Or the letters Æ, Ø or Å from the Danish alphabet. They all are
supposedly "spaces".

|Microsoft (work accounts)|

`Mindware <https://secure.mindware.orientaltrading.com/web/login/createUser>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You "*may use special characters*", but only some of them - and we won't
necessarily tell you which ones.

| |Mindware|
| |Mindware|

`MKB NetBankár <https://www.mkbnetbankar.hu/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

| It only accepts lowercase letters, uppercase letters and numbers (any
  other character counts as forbidden character).
| Also, if your password contains any invalid character, it will get
  marked as "Identical to the former 10 passwords".

| To make it more fun, during the registration, it allows to set a 24
  characters password to login to their website.
| Once you try to login with the password, it will say that the maximum
  length accepted is 16 characters.
| What actually happens, is that they let you insert 24 characters
  during registration, but only the first 16 will get actually used as
  password.

|MKB NetBankár|

`Mobi Bike Share <https://www.mobibikes.ca/en/register>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.

|Mobi Bike Share|


`Movistar <https://www.movistar.es/particulares/Privada/Registro/?url=%2Fmimovistar-cliente%2Fes-es%2Fparticulares%2Fregistro%2FdatosUsuario.html&>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Min 7 and max 8 characters for password! Also to be different than the
username: the user name is automatically generated and is based on the
surname of the user with some characters replaced by digits :)

Has been that way for more than 10 years.

|MobileIron|

`MobileIron MDM <https://www.mobileiron.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can't make this up - no dictionary words, no more than 2 repeating
characters, no alphabetic sequences, no whitespace, 3 character sets,
maximum of 32 characters.


|Movistar|

`Mycanal <https://www.mycanal.fr/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Minimum of 8 characters
- Contain at least 1 uppercase character or 1 number
- Can not contain these characters : ‹ › ' "

|Mycanal|

`NBank <https://www.nbank.de/Service/Kundenportal/Zugang-zum-Kundenportal/index.jsp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

User ID *has to* contain special characters, password *may not* contain (basically) any special characters.

|NBank|

`Omnivox <https://cegep-ste-foy.omnivox.ca/Login/Account/Login>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password length must be 8 to 20 characters long with lower case characters and numbers only.

|Nevada DMV|

`Nevada DMV <https://dmvnv.com/onlineservices.htm>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Password length must be exactly 8 characters in length
- Password must contain at least one letter (any position)
- Password must contain at least one number (any position)
- Password must contain one of the following special characters: @ # $
- Password is not case sensitive

|Omnivox|

`Oracle <https://profile.oracle.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*Should not* or *must not*? RFC 2119 may want a word with you.

|Oracle|

`Origin <https://www.origin.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password must be between 8 and 16 characters long

|Origin|

`PagoMisCuentas <https://www.pagomiscuentas.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password must be between 8 and 15 alphanumeric characters, and have
at least one uppercase and one lowercase letter.

|PagoMisCuentas|

`Parnassus Investments <https://www.parnassus.com/your-account/newaccount/open-account-intro/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

|Parnassus|

`PayPal <https://www.paypal.com/myaccount/settings/password/edit/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We'll tell you not to use your name as your password, but we won't tell
you how we restrict your password choice otherwise.

|PayPal|

`Paytm <https://paytm.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password must be between 5 and 15 characters. Also, spaces don't count
as characters.

|Paytm|

`PizzaHut <https://www.pizzahut.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords must be greater than 6 characters, and have an arbitrary set of rules we don't tell you about until after you try to set your password.

|PizzaHut-1|
|PizzaHut-2|
|PizzaHut-3|

`Premera Blue Cross <https://account.premera.com/>`__

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error  ``-_'.@``

|Premera Blue Cross|

`Raiffeisen Bank Serbia <https://rol.raiffeisenbank.rs/Retail/home/login/>`__
~~~~~~~~~~~~~~~~~~~~~~~

There are a couple of password limitations when creating a new account on
Raiffeisen Bank Serbia on-line banking portal. Password length is limited to
minimum 8 and maximum 16 characters. Also, minimum uppercase letters 1, minimum
lowercase letter 1, minimum digits 2, maximum consecutive identical characters 4
and first character must be a letter. Oh... And, no special characters!

|Raiffeisen Bank Serbia|

`Red Hat <https://www.redhat.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Symbols. You keep using that word. I don't think it means what you think
it means.

|Red Hat|

`Rediff <https://www.rediff.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A maximum password length of 12. The hidden requirements are:

- atleast 1 uppercase letter
- atleast 1 lowercase letter
- atleast 1 numeric character
- atleast 1 special symbol (which can not be ^, %)

|Rediff|

`Roll 20 <https://app.roll20.net/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your new password must be at least 4 characters long and no longer than 40 characters. Your password was not changed.

|Roll 20|

`Rushmore Loan Management Services <https://rushmore.customercarenet.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hmmm.. why are they afraid of double and single quotes in my passwords?

|Rushmore|

`SAP Cloud Appliance Library <https://cal.sap.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords between 8 and 9 characters are the best.

|SAP Cloud Appliance Library|

`Scandinavian Airlines <https://www.flysas.com/us-en/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The password rules itself is fine, but, it doesn't inform about the max length of the password.
Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it.
In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteria**, and could login with **Super_l0ng_pas**

Answer form SAS customer service::

> Hi,
> Thank you for your e-mail.
> Our website only takes 14 characters as a password, so somehow when you registered > it took all 49.
> But since our website only asks for 14 characters anything after will be valid.
> I would advice you to change your password.
> Have a wonderful day.

|Scandinavian Airlines|

`Safeway <https://shop.safeway.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords limited to 8-12 characters.

|Safeway|

`Sears <https://www.sears.com/>`__

"cAsE sensitive, no spaces, ! or ?
8 characters min - 1 letter, 1 number
Can't repeat same character more than 3 times in a row
Cannot be or contain your username or email address"

|Sears|

`Singapore Airlines <https://www.singaporeair.com/en_UK/ppsclub-krisflyer/registration-form/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

``/[0-9]{6}/``

|Singapore Airlines|

`Sky Ticket <https://skyticket.sky.de/home/login/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sky is a german pay-TV provider with over 23 million subscribed users worldwide. They also have an online streaming service called "Sky Ticket".

You can only set a **4 digit long PIN** with no option for two-factor authentication or any additional security mechanisms.

|Sky Ticket|

`Slovenska sporitelna <https://mysecurity.slsp.sk/zmena-hesla>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slovenska sporitelna is the biggest bank in Slovakia. Despite pretty new version of the internet banking (rolled out in 2018), their password policy restricts password to be 16 characters long at most and prohibits any special characters.

|Slovenska sporitelna|

`Sparda-Bank <https://banking.sparda-m.de/spm/?institut=7009>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sparda is a group of German banks. They all use the same login form (except for Sparda-Bank Berlin, see below). Their equivalent of a password is called *Online-PIN*. As the name implies, only digits are allowed. (*Zifferneingabe* means "digit input"; it opens an on-screen number pad widget.)

|Sparda M 1|

Not mentioned explicitly: Your PIN is limited to 6 characters, i.e. the range of valid "passwords" is from ``000000`` to ``999999``.

|Sparda M 2|

The odd one out is Sparda-Bank Berlin, which has different rules:

- At least 8 characters.
- At most 20 characters.
- Only the following characters are allowed: a-z, A-Z, ä/Ä, ö/Ö, ü/Ü, ß, 0-9, and the "special characters" ``@!%&/=?*+;:,._-``.
- Your password must use either digits only (like a PIN) or at least one digit and at least one uppercase letter.

|Sparda B|

`Southwest <https://https://www.southwest.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password must be between 8 and 16 characters in length and include at least one uppercase letter
and one number. Certain special characters are also allowed, but the first character of the password must be alphanumeric.

|Southwest|

`Sparkasse <https://s-jena.de>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

„Sparkasse“ is a group of banks which is pretty popular in Germany. It
calls its passwords „PIN“ („persönliche Identifikations-Nummer“ —
personal identification number), the rules are pretty horrific and its
not even a number, even though it is called as such! Here is a
screenshot from the branch where I am from (Jena, Germany), but since
they have a central IT, I think it will be identical in other branches:

|Sparkasse Jena|

The rules are as such:

-  Only 5 characters
-  Small letters (a-z)
-  Large letters (A-Z)
-  Numbers (0-9)
-  „Special“ characters: ä,ö,ü,Ä,Ö,Ü and ß (Not suprising for a german
   Company)

After the rules there some hints on how the password should not look
like:

-  Combinations of your initials and the birthyear
-  Your phone number or parts thereof
-  Your zipcode
-  Commom combinations like 123ab or 55555
-  Full or parts of your login credentials

`Sprint <https://mysprint.sprint.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sprint "upgraded" their security and disallow special characters.

|Sprint|

`State Bank of India (Foreign Travel Card) <https://prepaid.onlinesbi.com/SBICMS/jsp/Portals/jsp/foreignCard.jsp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:

-  Be between 8 and 9 characters long
-  Contain at least 1 lowercase character
-  Contain at least 1 uppercase character
-  Contain at least 1 special character
-  Contain at least 1 number
-  NOT contain any "hacking characters" - #, %, &, =, /, <

|SBI|

`SunTrust <https://www.suntrust.com/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At least there are a variety of special characters to choose from.

|SunTrust|

`Synchrony Financial <https://consumercenter.mysynchrony.com/consumercenter/securityinfoaction_change_password_review_cancel.do>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Financial services - where we don't allow you to create the strongest
password possible.

|Synchrony Financial|

`T-Mobile <https://account.t-mobile.com/oauth2/v1/changePassword>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We prefer to not tell you which characters you can use up front.

|T-Mobile|

`Techcombank <https://ib.techcombank.com.vn/servlet/BrowserServlet>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password must:

- Be between 6 and 8 characters long
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase character
- Neither space nor unicode character is allowed. In fact,
  NO special characters is allowed
- Must be changed every 90 days

|Techcombank|

`Telekom/T-Systems MyWorkplace <https://www.websso.t-systems.com/MyWorkplace/General/TSIPageContainer.aspx>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Telekom's MyWorkplace is a Single Sign On / login hub for their
Open Telekom Cloud which is basically an Amazon AWS clone. It's
rather new and especially for business customers. Especially
because it is for business customers, there's absolutely no reason
to limit a password to 16 characters. Even special characters are
limited to a certain set.

|MyWorkplace|

`Thames Water <https://www.thameswater.co.uk/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Can only use the "special" characters on that very limited list, excluding symbols so exotic as an underscore, even. This is despite their own strength checker saying the password is strong.

|ThamesWater|

`Ticketmaster.de <https://www.ticketmaster.de/myAccount/editProfile>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password length is limited between 8 and 32 characters.

|Ticketmaster.de|

`Trade Me <https://www.trademe.co.nz>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

|TradeMe|

`TreasuryDirect <https://www.treasurydirect.gov/RS/UN-Display.do>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Will allow most passwords longer than 8 characters. Doesn't tell you there is a
maximum length of 16 characters. Then forces you to type it with an on-screen keyboard
with no capital letters.

|Treasury1|

|Treasury2|

`TwinSpires <https://www.twinspires.com/account/register>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can gamble on our site. We'll keep your money secure with a 12 character password!

|TwinSpires|

`Ubisoft <https://account.ubisoft.com/en-GB/action/change-password>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Only tells you the rules after submitting and clicking a link to a pop
up window.

|Ubisoft|

`Unicaja <https://areaprivada.unicajabanco.es/PortalServlet?pag=1533643502465&np=S>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Username is your national Spanish ID (easy to find).
Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard

|Unicaja|

`United Parcel Service of America <https://www.ups.com/doapp/signup>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password must:

- Be between 7 and 26 characters long
- Contain at least 1 lowercase character
- Contain at least 1 uppercase character
- Contain at least 1 number character
- Contain one special character (!@#$%*)
- NOT contain first or last name
- NOT contain UPS user ID
- NOT contain email address

|United Parcel Service of America|

`United States Postal Service <https://reg.usps.com/entreg/secure/ChangePasswordAction_input>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pick from an arbitrary list of symbols, and no repeating characters.

|United States Postal Service|

`University of California San Diego <https://www.ucsd.edu>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Passwords must be between 8 and **11** characters long!

|University of California San Diego|

`University of Texas at Austin <http://www.utdirect.utexas.edu/utdirect/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Because of the last two rules, which ban dictionary words and any
variants using symbol substitutions, *neither* of the passwords
presented in the `xkcd comic <https://xkcd.com/936/>`__ are allowed.

|University of Texas as Austin|

`University of Windsor <https://uwindsor.teamdynamix.com/TDClient/KB/ArticleDet?ID=46793>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The password policy applies to alumni as well. Must be at least 10
characters long, with at least 1 upper case and 1 lower case
character, at least 1 number, at least 1 special character. Password
expires every 120 days, and you can't reuse an old one.

|University of Windsor|

`USAA Bank <https://www.usaa.com/inet/pages/security_take_steps_protect_logon>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password cannot be longer than 12 characters but they don't tell you that until after you try a new password. To make up for this fact they've added dubious additional security features on top of this weak foundation.


|USAA|

`URSSAF (French employers tax collection service) <https://www.autoentrepreneur.urssaf.fr>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When setting a new password:
Password must be exactly 8 characters, at least 1 letter, at least 1 number, but no special characters.


|URSSAF|

`Vancity Credit Union <https://support.vancity.com/17-forget-pac/>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Personal Access Code (or PAC–they are too ashamed to call it a password), must be between 5 to 8 digits and cannot start with '0'. (no letters or symbols)

|Vancity Credit Union|

`Very.co.uk <https://www.very.co.uk/account/myaccount/changePassword.page>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Password field allows *only* the listed Special Characters ($ . , ! % ^ \*).
You're also forced to use both upper, and lower letters, as well as a number.

|Very|

`Vietnam Airlines <https://www.vietnamairlines.com/lotusmiles/enroll-new>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

``[[:alnum:]]{6,8}``

|Vietnam Airlines|

`Vio Bank <https://www.viobank.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The password requirement is not even fully enumerated. Upon inspection of the source code, the following lines were found, hidden by javascript: "Must include at least %MINSPECIAL of the following characters:-.~!@#&_{}|:$%^*()=[];?/+"

The actual list of special characters that are prohibited is correctly enumerated there. It's a result of `a misapplication <https://cibng.ibanking-services.com/cib/scripts/jquery/custsvc/custSvcChangePassword.js>`__ of the `variable allowedSpecialCharacters found here <https://cibng.ibanking-services.com/cib/scripts/jquery/custsvc/fis-visual-validator.js?version=20180507>`__.

It took under 5 minutes to find the bug after looking at the source for the first time. This is a bank.

|Viobank|

`Virgin Media <https://my.virginmedia.com/forgot-details/reset>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password needs to be between 8 and 10 characters long, with no
spaces, and must contain only numbers and letters. The first character
must be a letter.

|Virgin Media|

`Virgin Mobile <https://myaccount.virginmobileusa.com/primary/my-account-settings-change-pin>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You can only use PIN as your password.

|Virgin Mobile|

`Virgin Trains <https://www.buytickets.virgintrains.co.uk/buytickets/updatepersonaldetails.aspx#customerDetails>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password needs to be between 8 and 10 characters long. Previously
this would silently truncate the password without warning, causing
confusion when the password wouldn't work.

|Virgin Trains|

`Walmart <https://www.walmart.com/account/signup>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password length is limited between 6 and 12 characters.

|Walmart|

`Waze <https://www.waze.com/forgot_password>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters. The form does not mention anything about special characters. Waze is owned by Google.

|Waze|

`WeatherBug <https://www.weatherbug.com>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Maximum 16 characters.

|WeatherBug|

`Wells Fargo <https://oam.wellsfargo.com/oam/access/receiver?dest=MODIFY_PASSWORD>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password must be between 6 and 14 characters.

|Wells Fargo|

`WellStar MyChart <https://mychart.wellstar.org/mychart/accesscheck.asp>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password must be between 8 and 20 characters.

|WellStar MyChart|

`Westpac Live Online Banking <https://banking.westpac.com.au/secure/banking/administration/changepassword>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6 non-case sensitive characters [exactly].  no blanks, spaces or special characters.

|Westpac Live Online Banking|

`Williams-Sonoma <https://secure.williams-sonoma.com/account/updatepassword.html>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

25 maximum characters and disallowing some specials.

|Williams-Sonoma|

`Wells Fargo Identity Theft Protection <https://enhanced.wellsfargoprotection.com/secure/MyProfile.aspx>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

|Wells Fargo Identity Theft Protection|

.. |Admiral| image:: /screenshots/admiral.png
.. |ADP| image:: /screenshots/adp.png
.. |Advanzia| image:: /screenshots/advanzia.png
.. |Aigues de Barcelona| image:: /screenshots/aigues_barcelona.png
.. |Air France| image:: /screenshots/airfrance.png
.. |ameli.fr| image:: /screenshots/ameli.fr.png
.. |American Express| image:: /screenshots/american-express.jpg
.. |AmeriHealth| image:: /screenshots/amerihealth.png
.. |AmiAmi| image:: /screenshots/amiami.jpg
.. |ANZBank| image:: /screenshots/anz_bank.png
.. |AOL| image:: /screenshots/aol.png
.. |Apple| image:: /screenshots/apple.jpg
.. |Arbeitnehmeronline| image:: /screenshots/arbeitnehmeronline.png
.. |Arlo| image:: /screenshots/arlo.png
.. |ATT| image:: /screenshots/att.png
.. |Banco Mercantil| image:: /screenshots/banco-mercantil.png
.. |Bank Millennium| image:: /screenshots/bank-millennium.png
.. |Battle.net| image:: /screenshots/battlenet.png
.. |BBVA| image:: /screenshots/bbva.png
.. |BDO| image:: /screenshots/bdo.png
.. |Bendigo Bank| image:: /screenshots/bendigo_bank.png
.. |Best Buy| image:: /screenshots/bestbuy1.png
.. |Best Buy2| image:: /screenshots/bestbuy2.png
.. |Blackrock| image:: /screenshots/blackrock.png
.. |Blue Cross Blue Shield Massachusetts| image:: /screenshots/bcbs-massachusetts.png
.. |Boursorama| image:: /screenshots/boursorama.png
.. |BMO Bank of Montreal| image:: /screenshots/bmo.png
.. |BMW ConnectedDrive| image:: /screenshots/bmw-connected.PNG
.. |California DMV| image:: /screenshots/ca-dmv.png
.. |CenturyLink| image:: /screenshots/centurylink.png
.. |CIBC| image:: /screenshots/CIBC.png
.. |Chase| image:: /screenshots/chase.jpg
.. |Chegg1| image:: /screenshots/chegg1.png
.. |Chegg2| image:: /screenshots/chegg2.png
.. |Chegg3| image:: /screenshots/chegg3.png
.. |Comcast| image:: /screenshots/comcast.png
.. |Commsec| image:: /screenshots/commsec.png
.. |Copyright.gov| image:: /screenshots/copyright-gov.png
.. |csu.edu.au| image:: /screenshots/csu.edu.au.png
.. |DBS| image:: /screenshots/dbs.png
.. |Dell| image:: /screenshots/dell.png
.. |Deloitte GlobalAdvantage| image:: /screenshots/deloitte.png
.. |Delta| image:: /screenshots/delta.jpg
.. |DJI| image:: /screenshots/dji-drones.png
.. |Easybank| image:: /screenshots/easybank.png
.. |Easyjet| image:: /screenshots/easyjet.png
.. |Dutch Tax Authorities| image:: /screenshots/belastingdienst.jpg
.. |El Corte Ingles| image:: /screenshots/elcorteingles.png
.. |e-learning (Unipd)| image:: /screenshots/elearning.math.unipd.png
.. |EON| image:: /screenshots/eon.png
.. |Fidelity| image:: /screenshots/fidelity.png
.. |FIS Global| image:: /screenshots/fisglobal.png
.. |Fundatec| image:: /screenshots/fundatec.png
.. |Getin Bank| image:: /screenshots/getin.png
.. |Global Entry| image:: /screenshots/global-entry.png
.. |GoDaddy| image:: /screenshots/godaddy.png
.. |GoDaddy SFTP| image:: /screenshots/godaddy-sftp.png
.. |Her Majesty’s Revenue & Customs| image:: /screenshots/tax.service.gov.uk.png
.. |Hetzner| image:: /screenshots/hetzner.png
.. |Inria| image:: /screenshots/inria.png
.. |Intel| image:: /screenshots/intel.jpg
.. |ING Bank| image:: /screenshots/ingbank.png
.. |ING Australia| image:: /screenshots/ingaustralia.png
.. |ING Romania| image:: /screenshots/ingromania.jpg
.. |Izly by Crous| image:: /screenshots/izly-by-crous.png
.. |Jitterbit| image:: /screenshots/jitterbit.png
.. |LibraryThing| image:: /screenshots/librarything.png
.. |Lloyds| image:: /screenshots/lloyds.png
.. |Lowes| image:: /screenshots/lowes.png
.. |ME Bank| image:: /screenshots/me-bank.png
.. |MLB| image:: /screenshots/mlb.png
.. |Merrill Lynch| image:: /screenshots/merrill-lynch.png
.. |Maxpreps| image:: /screenshots/maxpreps.png
.. |MetLife| image:: /screenshots/metlife.png
.. |Microsoft (work accounts)| image:: /screenshots/microsoftwork.png
.. |Mindware| image:: /screenshots/mindware1.png
.. |Mindware2| image:: /screenshots/mindware2.png
.. |MKB NetBankár| image:: /screenshots/mkb.png
.. |Mobi Bike Share| image:: /screenshots/mobibikes.png
.. |MobileIron| image:: /screenshots/mobileiron.png
.. |Movistar| image:: /screenshots/movistar.jpg
.. |Mycanal| image:: /screenshots/mycanal.png
.. |NBank| image:: /screenshots/nbank.jpg
.. |Nevada DMV| image:: /screenshots/dmvapp.nv.gov.png
.. |Omnivox| image:: /screenshots/omnivox.png
.. |Oracle| image:: /screenshots/oracle.png
.. |Origin| image:: /screenshots/origin.png
.. |PagoMisCuentas| image:: /screenshots/pagomiscuentas.png
.. |Parnassus| image:: /screenshots/parnassus.png
.. |PayPal| image:: /screenshots/paypal.png
.. |Paytm| image:: /screenshots/paytm.png
.. |PizzaHut-1| image:: /screenshots/pizzahut1.png
.. |PizzaHut-2| image:: /screenshots/pizzahut2.png
.. |PizzaHut-3| image:: /screenshots/pizzahut3.png
.. |Premera| image:: /screenshots/premera.png
.. |Raiffeisen Bank Serbia| image:: /screenshots/raiffeisen_bank_srb.png
.. |Red Hat| image:: /screenshots/redhat.png
.. |Rediff| image:: /screenshots/rediff.png
.. |Roll 20| image:: /screenshots/Roll20.png
.. |Rushmore| image:: /screenshots/rushmore-loan-managment-services.png
.. |SAP Cloud Appliance Library| image:: /screenshots/sapcal.png
.. |Scandinavian Airlines| image:: /screenshots/sas.no.png
.. |Safeway| image:: /screenshots/safeway.png
.. |Sears| image:: /screenshots/sears.png
.. |Singapore Airlines| image:: /screenshots/singaporeairlines.png
.. |Sky Ticket| image:: /screenshots/sky-ticket.png
.. |Slovenska sporitelna| image:: /screenshots/slsp.png
.. |Southwest| image:: /screenshots/southwest.png
.. |Sparda M 1| image:: /screenshots/sparda-m-1.png
.. |Sparda M 2| image:: /screenshots/sparda-m-2.png
.. |Sparda B| image:: /screenshots/sparda-b.png
.. |Sparkasse Jena| image:: /screenshots/sparkasse_jena.png
.. |Sprint| image:: /screenshots/sprint.png
.. |SBI| image:: /screenshots/sbi.png
.. |SunTrust| image:: /screenshots/suntrust.png
.. |Synchrony Financial| image:: /screenshots/synchrony.png
.. |T-Mobile| image:: /screenshots/tmobile.png
.. |Techcombank| image:: /screenshots/techcombank.png
.. |MyWorkplace| image:: /screenshots/myworkplace.png
.. |ThamesWater| image:: /screenshots/ThamesWater.png
.. |Ticketmaster.de| image:: /screenshots/ticketmaster-de.png
.. |TradeMe| image:: /screenshots/trademe.jpg
.. |Treasury1| image:: /screenshots/treasury1.png
.. |Treasury2| image:: /screenshots/treasury2.png
.. |TwinSpires| image:: /screenshots/twinspires.png
.. |Ubisoft| image:: /screenshots/ubisoft.PNG
.. |Unicaja| image:: /screenshots/unicaja.png
.. |United Parcel Service of America| image:: /screenshots/ups.png
.. |United States Postal Service| image:: /screenshots/usps.png
.. |University of California San Diego| image:: /screenshots/ucsd.png
.. |University of Texas as Austin| image:: /screenshots/ut-austin.png
.. |University of Windsor| image:: /screenshots/uwindsor.png
.. |USAA| image:: /screenshots/usaa.png
.. |URSSAF| image:: /screenshots/urssaf.png
.. |Vancity Credit Union| image:: /screenshots/vancity.png
.. |Very| image:: /screenshots/very.png
.. |Vietnam Airlines| image:: /screenshots/vietnamairlines.png
.. |Viobank| image:: /screenshots/viobank.png
.. |Virgin Media| image:: /screenshots/virginmedia.jpg
.. |Virgin Mobile| image:: /screenshots/virginmobile.png
.. |Virgin Trains| image:: /screenshots/virgintrains.jpg
.. |Walmart| image:: /screenshots/walmart.png
.. |Waze| image:: /screenshots/waze.png
.. |WeatherBug| image:: /screenshots/weatherbug.png
.. |WellStar MyChart| image:: /screenshots/wellstar-mychart.png
.. |Wells Fargo| image:: /screenshots/wells-fargo.png
.. |Westpac Live Online Banking| image:: /screenshots/westpac.png
.. |Williams-Sonoma| image:: /screenshots/williams-sonoma.png
.. |Wells Fargo Identity Theft Protection| image:: /screenshots/wells-fargo-identity-theft-protection.png