Advertise here with Carbon Ads

This site is made possible by member support. โค๏ธ

Big thanks to Arcustech for hosting the site and offering amazing tech support.

When you buy through links on, I may earn an affiliate commission. Thanks for supporting the site! home of fine hypertext products since 1998.

๐Ÿ”  ๐Ÿ’€  ๐Ÿ“ธ  ๐Ÿ˜ญ  ๐Ÿ•ณ๏ธ  ๐Ÿค   ๐ŸŽฌ  ๐Ÿฅ”

The world’s worst password requirements list

I tweeted about this but wanted to document it here for posterity. The Attorney General of Texas Child Support website has the worst set of password requirements I’ve ever seen.

Password Req

Exactly eight characters? No consecutive repeating characters? This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for “security”. Makes you wonder how non-user-friendly the state’s actual child support process is.

Update: Here’s another bad password policy, courtesy of TechRepublic:

Password Req 01

Can’t contain two separated numbers? I don’t even. If you’ve run across other examples like these, tweet at me.

Update: Troy Hunt has a list of bad password practices…for example, here’s ING’s 4-digit PIN login:

Password Req 02

Four digits, numbers only…FOR A BANK! He also has a screenshot of American Express’ case insensitive password rule.

Update: Jonathan Cogley signed up to access the web site of a “major credit card company” (AmEx?) and ran into the case insensitivity as well.

Update: BTW, there are many resources out there about choosing good passwords, but I found this one particularly helpful.

Update: This one from the US Citizenship and Immigration Services site is very similar to the Texas one.

Password Req 03

Is there a consultant somewhere telling state and federal governments how not to do passwords? (via @kelseyfrost)

Update: I’ve gotten several notes about ING…their PINs are 6+ digits but still only numbers, which seems trivial to hack, even with their ever-shifting numeric keypad (readily OCR-able) and image verification (isn’t foolproof).

Update: Suncorp Bank requires that passwords be 6-8 characters and can’t contain consecutive numbers or special characters.

Password Req 04

Chase requires a password for your password so you can log in while you log in. Or something.

But the best one so far might be for Sabre Red, a booking system used by travel agents.

Password Req 05

7-8 characters in length, no special characters, no more than two repeating characters, and you cannot use the letters Z or Q (presumably a holdover from the days when phone keypads didn’t have Qs or Zs). Wow. (via @SteveD503, @albedoa & @TheLoneCuber)

Update: Here’s another one, from some unspecified site:

Password Req

(via @toepoke_co_uk)