Just came across this abomination from Chase Payments that borders on a (computationally difficult) SAT instance.
Must be 8-32 characters long
Must include at least one UPPERCASE, one lowercase and one number
Must not have special characters or punctuation
Must be different than your previous 24 passwords
Must not include your Email ID partly or fully
Must not include your First Name or Last Name
Must not include more than 2 identical characters
Must not include more than 2 consecutive characters
Must not use the name of the financial institution (JPM, MORGAN, JPMORGAN, CHASE, JPMORGANCHASE, JPMC)
I used a Python REPL to tweak my password only to discover eventually that the 32 character length limit was a lie and they needed a 24 character password (or I missed a requirement).
Surely there isn’t anything worse?
Some of the comments here reminded me of a popular Stack Exchange post.
https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
Thanks for the laugh!
That was a wild ride!
My bank doesn’t allow copy/paste on inputs. I guess I better make sure my password is short and easy to type!
Digging through their code, there’s hacks to support IE4 and NN4. But a userscript was all that was needed to strip their event handlers to bring back paste functionality.
The dumbest rules are usually not on the passwords, they’re on the reset path. Some places give you security questions that you can’t change and all of which ask about things that a large subset of users post the answers to on Facebook. I had an astonishing experience with PNC bank doing a password reset for Internet banking:
They first started asking for the current balance. That was what I was trying to look up with Internet banking, so I couldn’t tell them. Having identified that this is what I wanted to know, they told me that this is a low security thing and so I could just do basic verification. They asked me my full name and address (possibly date of birth?) and then told me the current balance. I then cheekily said that now I knew the current balance, so I’d like to do the password reset. The person on the phone seriously told me that I couldn’t tell them things that they had told me and so transferred me to another helpdesk operative, who started again. 10 minutes after the start of the process, I had full control over the bank account, without needing to know anything that wasn’t either public or easy to steal. If someone leaked their mailing list then an attacker could easily take control of most of their accounts. If you have an account with them, make sure you shred your statements before throwing them away: they contain more than enough information for an account takeover.
I had a credit union membership in the USA, and I wanted to transfer any remaining funds and close it, since I hadn’t been there in years and have no plans to return.
They don’t use hardware 2fa/digital ID as here, but they use a third-party website that somehow digs up a lot of info about you, and asks you questions about it.
Some questions, like “which of these cars have you owned?”, were easy for me (never owned a car). Other questions were about addresses and zip codes, which I had forgotten, and I had to find every place I lived on google maps to get them (luckily I remember the rough city shapes and how to find my way around).
I’m glad they do it like that so I didn’t have to go there in person or anything, but I felt like I was hacking myself.
Those things would probably be on your credit report so they might have pulled that…
Recently I had to set up a password for a bank and the password had to have at least one “special character”. The front end and backend disagreed on what special characters were allowed, however, and so I’d get a green check mark in the UI and then an error upon submission.
Had to trial-and-error my way through that one.
40 thousand years in hell for everyone responsible for this
Inconsistent requirements like this are definitely the worst and can rapidly lead to catch-22 situations.
I forget who the guilty party was, but I remember once getting very stuck on a site which not only applied password restrictions to the password-setting form but also the login prompt itself. And guess what? They didn’t match. So I set some longish (16char?) randomly generated password during signup. Fine. Confirm account email address, blah, blah, try to log in for the first time: whoops, only passwords up to, I don’t know, 12 characters allowed.
I forget if the solution ended up being the reset password flow, modifying a client side check in the browser, or creating a new account with a different email address. Or perhaps the solution was a change of heart about how dearly I wanted to create an account in this site.
A variant of this also once happened to me. A website changed its password requirements during an update, and enforced the new policy on the login form. Not in the relatively sane way, “you’ve logged in, but your password doesn’t meet our new requirements, please change it now.” Nope. These were geniuses at work. “Your password doesn’t meet our requirements, so you can’t log in.”
I was late for a Zoom call because I had to reset my password. My password manager was set to generate 128-character passwords so I grabbed one and reset it. So far so good. But then the desktop GUI said my login was invalid. I did this two or three more times before I realized that the GUI didn’t accept that long of a password. I wonder if they’ve fixed this…
Citibank does this too!
I managed to lock myself out of my Psion Series 3 back in the day over a similar issue. The password entry box for setting the password was a normal entry box, which let you enter any character code, including special ones. The one on the unlock screen was a special more secure one that did not allow anything other than single key presses. This meant that I could set a password with special characters in it, I just couldn’t use it to unlock the machine.
In high school I’d set the screensaver on our Windows 3.1 machines to say something untoward and then set WIN.INI to be read-only so that the message couldn’t be changed in the UI. The UI wouldn’t report an error or anything; it would show the message as changed.
Not really the same thing at all, just reminded me of that story.
One of my banks does this - with just numbers!
Wow! How long do you think it will be before they start adding requirements like
or
Or contain your birthday, or any dates at all. In fact, it shouldn’t be divisible by 2 because most numbers are, and we want to make your password secure.
What does it mean to have a minimum of 7 numbers? Surely it means digits, no?
While we’re being puzzled by financial institutions’ behaviour, I was ?delighted? to peek at the JS on my (Australian big 4) bank’s login page and learn that it was encrypting the first eight characters and leaving the rest plain… then submitting it over HTTPS 🤷
My bank’s password requirements for their “internet password” is laughable; 8 characters max., only lowercase alphanumeric characters. It gave me so many headaches to figure out which characters they actually accepted because they didn’t have any hints on what are the actual requirements…
It’s always the financial institutions*. An 8 character max is truly incredible. I don’t know much about storing passwords, but that kind of maximum makes me rather suspicious that they might be storing plaintext passwords…
That reminds me that I’ve had to enter my password for Fidelity over the phone using T9 codes (i.e. the chars “abcABC” all map to 2) and mapping all special characters to *. I know that they could be hashing the “simplified form” and storing it alongside my regular password when they receive it, but it certainly made me suspicious that they, too, were storing my password in plaintext. Of course they also have some archaic 16 character limit.
* which ironically are the ones for which I want the strongest password!
Hi. Troy Hunt has a good take on this and why it doesn’t matter.
https://www.troyhunt.com/banks-arbitrary-password-restrictions-and-why-they-dont-matter/
Thank you for putting my mind at ease over their strange password policies. I can feel justified in being upset and still reasonably confident in the security of my financial accounts :)
I feel like given how common “identity theft” is (people successfully tricking banks into thinking they’re you so the bank will authorize sending them money, which through linguistic judo turns a theft from the bank into a theft from you personally) this blog post isn’t really that strong of an argument. Especially the part about how the bank will pay for any “unauthorized transfers”. Good luck with that. Doubt the bank has ever paid out, and not because their security is that good.
Most identity fraud does not involve guessing banking credentials, it involves either compromising the endpoint or going through a weaker reset path. Strong passwords are intended to protect against offline attacks. If an attacker can get a server’s password database, then weak passwords may require only a few hundreds of thousands of guesses to get, which may be only a few seconds of compute time. For something like a bank, if an attacker is in a position to steal the password database, they are in a position to do a lot more (financial) damage.
it’s horrible! the other bank i use (which is the one i get my salary deposited onto) luckily has (slightly) better limits.. only 10 characters, but requires you to have at least 2 special characters and allows for uppercase.. but still leaves to desire
BBVA maximum is 6. Whenever you need to do something on the phone with them, they’ll ask for a couple of characters in random positions, but because the operators error once, I know they can see the whole password the whole time.
Citibank’s password isn’t case sensitive. They do not tell you this.
Banks from I have seen (at least where I live) follow password practices that seem archaic. I guess it is because they had to sink their knees in the realm of online security early on and haven’t moved on from that. My bank for example does not allow pasting the username or password making the usage of a password manager a bit tricky. rofi-pass uses xdotool which helps me work around this.
I couldn’t use the letter
ain my password on a website, because the email address I entered wasa@...I think it was the playstation account.
What does “Must not include more than 2 consecutive characters” even mean? Taken literally it would mean your password must be at most 2 characters. Presumably they mean “abc” and the like.
You know, I had assumed it meant “2 consecutive identical characters,” but I’m not sure.
I also wasn’t sure of the restrictions enforced by “Must not include your Email ID partly or fully,” but it did allow me to register an account with the characters contained in my email so I would guess their “partly” means a consecutive substring of nontrivial length (say, greater than 3).
Just found this website in case you want to suffer a bit more :)
https://dumbpasswordrules.com/
The worst one I encountered was for a dutch government network (their policy is documented here, in dutch: https://www.rvig.nl/documenten/richtlijnen/2015/02/27/wachtwoord-netwerk ). The gems in this one are:
It’s actually really difficult to generate passwords for this system with a password-manager…
I have an example that I use in websecurity courses to explain how not to do it. It’s in German, it was originally from the AOK (large german health insurance company, not sure if they still use that):
“Ihr neues Passwort muss zwischen 8 und 14 Stellen lang sein, Buchstaben, mindestens eine Zahl sowie mindestens ein Sonderzeichen enthalten. Sonderzeichen sind !, @, $, %, /, =, ?, `, +, -, #, _, ., ;, :, [, }, |. Das erste Zeichen Ihres Passwortes darf kein ? oder ! sein.”
Notably: They require special characters, but only certain special characters are allowed, and also a subset of these certain special characters are not allowed for the first character.
At one point in time Paypal seemed to have a password length of max 20 chars, but if you went over it when changing your password it wouldn’t tell you about it, it would just silently not change your password. Fortunately they seem to have fixed it now.
PayPal still circularly requires you to be authenticated to get support about authencitation. I didn’t log in for years because I dislike their service, and they pulled the rug on Google Voice as 2FA so I couldn’t get into my account without providing my real phone number. Needless to say, I DM’d the band and we got them set up on Stripe as an alternative payment option (though Stripe has requirements for a physical address, so I guess it sucks to be homeless).
Anyone care for something that’s simpler and worse? :-D
I do not know how it got to this, I know it was related to someone misunderstanding rainbow tables at some point in the past but it had been so long before that I couldn’t get to anyone who remembered.
One of the managers figured that those unwashed employee masses kept abusing the password rules – like, Sarah from accounting who really liked her cat Mittens couldn’t set her password to ‘mittens’ so it was just set to ‘M1ttens_’ instead, which was just as weak. So they decided to enforce a strong password scheme.
Said password scheme was
NNNN#AAAAwhere theApart was a series of alphanumeric characters and theNpart was a number, and the#was a literal “#”. Everyone got one when they were hired and it changed every 90 days. However, the validation hook was buggy: you couldn’t ever change theAAAApart, it rejected anything you provided. If it ran out of reasons (“at least one lowerspace character”, “no duplicate characters”) it just said “error”. Everyone just incremented theNNNN.What validation hook, you ask. Does
1234#KYaDlook like a strong password by modern standards? Right. You changed the password via some web application thing that included an ActiveX control. That’s how old it was (and amazingly enough it continued to work on Windows 10, albeit only with Internet Explorer).Just use evilpass! https://sr.ht/~sircmpwn/evilpass/
Or, more seriously, just use zxcvbn: https://github.com/dropbox/zxcvbn
The creator gave a nice little talk on it here: https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler
When I was working at Uni, they implemented a password history policy like that. So I went through a whole bunch (~16 or so) of random password changes to get back to my previous already pretty secure password (15 random alnum) :p Forced password rotation is probably the worst thing IMO. Well, that, and systems that email you a plaintext copy of your password, and then it’s like “oh, #$@!”.
It’s amazing how banks seem to have the absolute worst, stupidest, confusing or outright wrong requirements. Seems to be pretty universal by the looks of this thread too. Wonder what it’ll take for this to change.
I wonder, now with the rise of the AI, if you give these rules to the ChatGPT and tell him to propose some passwords what will happen…
Here’s a password that meets all the given requirements:
“H3lloW0rld”
Explanation:
Note: It’s important to choose a password that is both secure and memorable. While the above password meets the given requirements, it’s always a good idea to use a password manager to generate and store secure passwords for you.
Having to change it every 3 months for my work domain account, while not allowed to set a PIN on my laptop. So now my work pass everywhere is the easiest thing I can remember and I just increment a digit every time.
I once went on a website that truncated passwords silently. i.e. I paste a 64-character password to the registration form but it’s silently truncated to 20 chars. Of course, the login form doesn’t truncate so when I tried to login it didn’t accept my password. Impossible to spot visually. Very confusing.
The worst password situation is treasurydirect.gov, which makes one click an onscreen keyboard for each letter. Ironically, it uses only uppercase letters. It would be way better if they used the US government’s own login.gov auth service.
Shameless plug: I wrote a one-liner userscript to fix this one.