Overly tight restrictions on what you can use for a password raises the little red flag in the back of my mind. Sadly banks are some of the worst at this. I recently came across the password policy page for Wells Fargo, which isn’t nearly the worst I’ve seen:
Your password:
– Must be 6 to 14 characters.
– Must contain at least one letter and one number.
– May not contain nine or more numbers.
– May not be identical to your Username.
– May not repeat the same number or letter more than 3 times in a row.
– May not contain more than 3 sequential numbers or letters (such as ‘1234’ or ‘abcd’) in a row.
– May contain special characters (such as @, %, &, #).
There are several things to like about this. Avoiding sequences and repetition is good. I wonder where the requirement to use less than 9 numbers comes from.
The major pain point in this list is limiting the password length to only 14 characters. Any time I see a maximum length that small I fear they are storing it in plain text some where. Assuming reasonable hashing methods a maximum length closer to 70 characters would be significantly better.