I tweeted about this but wanted to document it here for posterity. The Attorney General of Texas Child Support website has the worst set of password requirements I’ve ever seen.
Exactly eight characters? No consecutive repeating characters? This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for “security”. Makes you wonder how non-user-friendly the state’s actual child support process is.
Update: Here’s another bad password policy, courtesy of TechRepublic:
Can’t contain two separated numbers? I don’t even. If you’ve run across other examples like these, tweet at me.
Update: Troy Hunt has a list of bad password practices…for example, here’s ING’s 4-digit PIN login:
Four digits, numbers only…FOR A BANK! He also has a screenshot of American Express’ case insensitive password rule.
Update: Jonathan Cogley signed up to access the web site of a “major credit card company” (AmEx?) and ran into the case insensitivity as well.
Update: BTW, there are many resources out there about choosing good passwords, but I found this one particularly helpful.
Update: This one from the US Citizenship and Immigration Services site is very similar to the Texas one.
Is there a consultant somewhere telling state and federal governments how not to do passwords? (via @kelseyfrost)
Update: I’ve gotten several notes about ING…their PINs are 6+ digits but still only numbers, which seems trivial to hack, even with their ever-shifting numeric keypad (readily OCR-able) and image verification (isn’t foolproof).
Update: Suncorp Bank requires that passwords be 6-8 characters and can’t contain consecutive numbers or special characters.
Chase requires a password for your password so you can log in while you log in. Or something.
But the best one so far might be for Sabre Red, a booking system used by travel agents.
7-8 characters in length, no special characters, no more than two repeating characters, and you cannot use the letters Z or Q (presumably a holdover from the days when phone keypads didn’t have Qs or Zs). Wow. (via @SteveD503, @albedoa & @TheLoneCuber)
Update: Here’s another one, from some unspecified site: