What is this?
Arduous and complicated password rules actually reduce web security. What ultimately makes a password strong is its length, not a series of difficult to remember rules. Password rules that disallow or restrict the use of special characters interfere with the entropy of the passwords stored in applications, making them easier to reverse engineer and crack.
Many people today use password managers, such as 1Password, which generate long and randomized passwords. Restrictive password rules prevent your users from benefiting from these secure passwords.
Besides a case for a bare minimum of complexity for a password, including a minimum length, your password rules are likely ineffective and actually reduce the security of your application. Stop it. Do better.
This is a repository of sites, apps, and entities which violate this manifesto.
“Password rules are bullshit.” - Jeff Atwood
-
Passwords must contain a number, an uppercase letter, and a lowercase letter. Passwords can't use spaces or the same character three times in a row.
-
AT&T
Password must be 6-24 characters long and use at least one letter and one number. Only upper/lower case letters, numbers, hyphens and underscores are allowed. -
Bank of America
Disallows special characters. -
Bath & Body Works
Only allows up to 50 characters, and disallows spaces. -
Blizzard Gear Store
Only allows up to 20 characters. -
Blizzard/Battle.net
Only allows up to 16 characters. -
Capitol Federal Bank
Restricts the use of special characters. -
Charles Schwab
Restricts length to eight characters and disallows special characters. Goes the extra mile by making passwords case-insensitive. -
Chase
Only allows passwords of up to 32 characters in length. -
Costco
Only allows up to 20 characters, and restricts the use of special characters. -
Delta Air Lines
Only allows up to 20 characters, restricts special characters, and only allows up to three special characters. -
Eddie Bauer
Max 20 characters -
Elanco Animal Health Rebates
Password must contain only letters and numbers. -
FAA MedXPress
Only allows passwords between 8-12 characters in length. -
Fabric.com
Alphanumeric characters only -
Flaticon
In their words, 'The field password must contains [sic] only letters and numbers'. -
Horizons North Credit Union
Must be between 8 and 10 characters, restricts to a limited special character set, must contain at least two alphabetic characters, must contain three non-alphabetic characters. -
Hyatt
Max 35 characters -
InterContinental Hotels Group
Only allows a four digit PIN to protect your account. -
Jackson & Perkins
Between 5-15 characters. -
Johnson County Wastewater
This is a mess. -
Kate Spade
Max 20 characters -
KStateSports.com Store
Max 20 characters -
Lloyds Bank
Disallows special characters. -
Lowes
Requires passwords to be between 6 and 12 characters long, and passwords cannot contain spaces. -
Major League Baseball
Must be 8 - 15 characters. Disallows special characters and does not specify it. -
Merrell
Max 20 characters, disallows spaces. -
MyMazda
Max 16 characters, alphanumeric characters only, restricts special characters. -
MySubaru
Max 15 characters, disallows spaces. -
Neiman Marcus
Disallows % and + symbols, and no more than 2 consecutive repeating characters. -
Origin
Only allows passwords between 8-16 characters. -
Penzeys
Max 20 characters -
Prairie Nursery
6-15 Alphanumeric characters -
Project Euler
Passwords must contain between 8 and 32 characters. -
REI
Max 16 characters -
Rockstar Games Social Club
Only allows alphanumeric characters. -
Room Sketcher
6-20 Alphanumeric characters -
Sarpinos Pizzeria
Rules unknown - simply errors out when certain characters, like #, are used. -
Sephora
Max 12 characters, no spaces -
Sling TV
Passwords must be 4-30 characters. Letters and Numbers only. -
Soccer.com
Cannot contain more than 4 of the same character in the entire password -
Summit Racing
Only allows passwords of up to ten characters. -
T Rowe Price
Only allows passwords of up to 32 characters, and restricts use of special characters. Cannot contain >= 3 of the same character sequentially. -
Target
Maximum of 20 characters, and disallows certain special characters. -
TD Ameritrade
Only allows passwords of up to 15 characters in length and disallows special characters. -
The Body Shop
Max 24 characters. -
Victoria's Secret
Disallows special characters. -
Waste Management
Only allows passwords between 8 and 15 characters, and disallows the @ symbol. -
WaterOne
Only allows passwords between 8 and 30 characters. -
Wells Fargo
Only allows up to 14 character passwords and limits the length by restricting the input field length. If you type a longer password, it only uses the first 14 characters. Same when you log in. Password field stops after 14 characters so if you keep typing, it will just ignore the extra characters. -
Williams Sonoma
Max 25 characters in length. -
Zoom
Only allows passwords of up to 32 characters in length.
Contribute to this project
If you have an update to this list, email me via my contact form or create a pull request on GitHub.
If you are affiliated with one of the companies or sites linked above and you're unhappy, check yourself before you wreck yourself. Then you can email me via my contact form and I can take a look.