I had a wi-fi device a few years ago that would require a password up to 12 characters, but that requirement wasn’t explicitly written anywhere. The device would gladly accept a 13-character password, for example, but you would never be able to log in again (factory-resetting was the only way to undo).

More recently I purchased a Lennox HVAC system that came with their proprietary thermostat (an Android tablet with a wall mount). During the Christmas break I got myself a new wi-fi router and had to reconfigure all my wireless devices. After 2 days, the Lennox thermostat was the last device to join the new wi-fi network… and it failed because their password could have any character EXCEPT the asterisk — and my new password had an asterisk. I didn’t like the idea of redoing all my other devices AGAIN just because of this idiotic password rule, so I ended up creating a new SSID just for the thermostat. I named it LENNOXSUCKS.

I needed to get a certificate for digitally submitting my taxes. This, of course, requires me to set a password for it. The tax office’ web site lists a number of requirements and rejects any password that does not match those (so it said). So far, so good, the usual stuff, lower and upper case, numbers, special characters, minimum lenght. No surprises there.

For one of the “special characters” I used “ö” (umlaut o), which is a normal character in my language (which is the same as the tax offices, so they should be aware of those). The web site filter happily accepted this password containing the “ö”. But the back engine got a severe case of digital diarrhea from it. I had to clear my caches and cookies to completely re-starting the application process.

Another password SNAFU I had many years ago in a place using TN3270 terminals. To those who have never seen such a thing, it is a so-called “smart terminal”. It does not send and receive single characters like a telnet or SSH session, but the host sends a mask to the terminal, defining fields that can be filled out, and with a “send” or “function” key (IIRC) you could send the data back. Those fields had fixed lengths, of course. You might guess the problem…

So the login screen had two fields of eight characters each: “Username” and “Password”. I entered the credentials I have been given and sent them. The first thing I did was to select “change password”. It opened a form with three fields: “old password”, “new password”, and “repeat new password”. Nothing odd about that, but the fields had twelve characters. So, not knowing the particulars of that system (I was used to UNIX style terminals back then), I entered a new password that was longer than eight characters. Guess what? I logged out, I tried to log in, I was stuck. I had to ask my admin to reset my password. And had found the first of many, many bugs in that system.

Probably the silliest thing I have run into was some game. It asked you to set two passwords. You needed both to login. The second password couldn’t be changed. This is why it was secure, see. (…What.)

When I created my account and set the second password, I couldn’t log on the second time. Because I had entered a 20 character second password. It was accepted and verified during the account creation just fine. On the second login, it only accepted 16 characters. (It let you enter 20 characters but said it was too long.) Trying to enter first 16 characters of the second password didn’t work, of course.

I then contacted the support, and they did manage to reset the second password anyway. (What is this even)

The worst I’ve ever seen was a site that required passwords to be 4 digits.

Obligatory link to neal.fun password-game

Not allowing you to paste a password, so you have to type it manually every time.

12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That’s FedEx.

Two other thoughts on the topic:

• Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
• There are plenty of websites where I literally log in only by using the “forgot password” flow because their password requirements are so ridiculous.

Anything that requires regular password resets. It’s fine if it’s changed on the site and in the user’s vault automatically, but if a user has to type in their password with any sort of regularity, it’s a recipe for disaster to require regular changes.

People write predictable or formulaic passwords, or just end up resetting their password more often than necessary because they forgot it (making them more susceptible to phishing).

“Password must contain letters numbers, and at least one of these special characters.”

Turns out, half of those special characters weren’t allowed 🫠

Six numbers only.

The most basic rules commonly required everywhere. When you have such specific rules, it ironically actually makes finding the password through brute force easier because you can eliminate a bunch of variables that could have existed without all the rules. I can eliminate any permutation under 8 characters, doesn’t contain a number, and doesn’t contain a special character.

It will still possibly take a billion years to guess, but it could have been two billion without the rules.

Of course, I also find it wild that the metric for how good an encryption or password system is, is just how long it would take to guess every possible combination of input it could be, sequentially. It doesn’t account for a brute force attempt that just selects random inputs. It could take until the heat death of the universe… It could take 3 seconds. It’s up to chance at that point. Not to mention all the easier ways of getting a password. Like gaslighting the person who knows it into giving it up.

By far the worst is the costa rican national bank:

• Must be between 8 and 16 characters long
• Must have at least 4 letters and 4 numbers
• Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
• Can’t have vowels or Ñ
• Must not be one of your last 6 passwords
• Must be changed every 90 days
• Also forgot that their website and app try to block password managers and copy and paste

[offtopic?]

Debbie’s password is “PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles”

She was told that the password needed seven characters and a capital.

My community colleges:

Passwords must be 12 characters long, contain at least one uppercase letter, one lowercase letter, a number, and a special character; it must also be changed every 30 days. There was also some sort of alogarithm that checked if your new password is too similar to any previous password you had used, and rejected it if it was too close.

Hilariously, if you had a link to the page the password was supposed to limit access to, you could bypass the password page entirely. As such, I never changed my password.

Passwords that must contain a special character, but only from a list of three special characters.

Passwords that must be changed every 3 months.

Absurdly narrow length requirements, im 80% sure I saw one that required 8-16 characters.

All dictionary words were banned from being in a password regardless of length, so passphrases weren’t allowed.