The Crapola Hall of Shame: Sites with myopically weak or dumb password limitations

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

Lob

What could possibly go wrong?
Nov 7, 2020
161
44
Ladies and Gentlemen, given the recent news around passwords and the probably need for many to change them, I give you some great sites and services that are a bit, well, crap.

Feel free to bring your own examples :)

Paypal:
Paypal WTF.jpg


Successfactors from SAP will not accept a password of over 18 characters. Attempting to use a password longer than this results in the following verbose error message:
Password must be at least 8 characters long. Password must not be longer than 18 characters. Password must contain at least one upper case and one lower case letter. Password must contain at least one number or punctuation character. Password must not contain space or unicode characters.
It seems the special character, space, is particularly troublesome.

Taleo, an Oracle service, allows up to 32 characters but chokes on certain special characters.
Please note that the password must respect the following rules:
  • It must contain between 6 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ \ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
  • It must contain at least 1 letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz).
  • It must contain at least 1 numeric character(s) (0123456789).
  • It must not contain more than 4 identical consecutive characters (AAA, iiii, $$$$$ ...).
  • It must not contain your user name.
This is an extremely annoying combination for the password generator since I end up disabling special characters for the generated password.
 
I wish I remember what sites they were, but I remember a couple of things recently:

1) Sites that limit you to 16 characters (Aside from one saying there are old devices that don't support longer passwords, I don't see why this is even a limit)
2) Sites that set a max length on the password field, but don't tell you there's a max length. (Verizon is a special case here as before the breach, I signed up for their 5G Home Internet, and when I set up the account, turns out the max length is set on the mobile app, but not the website, so I basically locked myself out of using the mobile app for a bit)
3) Sites that have character set in which require the four types of characters, but limit you on the special characters you can use. I saw both having a set of special characters you can't use, or a small set of special characters you can use.
 
When I worked for a state agency and had to check immigration status, the 'SAVE' site the government uses was a nightmare for password generation.
 
1) A site that says passwords can only be 8-16 characters long, and restricts the required special characters to a small subset, and expires the password every 60 days.

Grr,

2) A site that allowed me to enter a 16 character generated password, that included upper/lower, numeric and special, then wouldn't accept the password when I tried to log in after. After a lot of experimentation (and getting VERY familiar with using their live-phone-agent(?!) password recovery service), I determined that their login process would actually only allow 8 character passwords, and a rather restricted set of special characters.

Sigh.

3) Not really a password limitation, but nevertheless a maddening trend: 3rd-party federated authentication sites, because the original site owner can't figure out how to program a reasonable password update/login process themselves. The most recent example is the arrl.org site (the national association for amateur radio), which went to a federated login system that just truly SUCKS. I lost nearly a day to trying to come to terms with what they had done, when they re-launched their rebuilt site (which was down for several days because, you know, "Always release direct to production - what could possibly go WRONG?"). Again, they had no way to recover password lockouts, except via live phone support, and I ended up calling them about a dozen times that day. FINALLY got it working after realizing that their instructions were not clear as to WHICH values belonged in the 'username' field (It turned out to be my email address, NOT the
username I had previously used before they re-wrote the site). The behavior now is really strange. The site will log you out after some period (hours/days) of time, but all you have to do is click 'login' and it will log you back in, based on cookies that are stored permanently in your browser instance (what could go wrong?). I had a similar experience with a dental insurance site. This trend is simply maddening.

Sheesh.
 
Last edited:
I don't know if it's still the case but Myspace used to let you enter any length password but only stored the first 10 characters. (You only needed to enter the first 10 to log back in.)
 
Asus has a login that is used for support and some of their software. It supports varying length passwords and allows for special characters which is fine and good.

Now if you want to log into the Asus forums, special characters in the password make it impossible to login. You must use only numbers and letters, though the forum password requirements don't say that. The users figured it out by trial and error. They just updated their forums this month, I have not checked to see if this is fixed.

401K.com for the last 20+ years required that your user name be your social security number. The finally changed that in 2021. I know not a password issue, but stupid anyway. They originally didn't allow special characters either. Now the do, but limit them. The password requirement allows 6 (yikes) to 20 characters but if you set it to 20 characters it shows that it is at the max as if this was an error. I don't know if it will accept 20 characters or not.