Facebook got caught having a flat text file being send around between employees to make accessing data easier. That text file contained tens of thousands of peoples username and password.

Why? Facebook being facebook I guess

Obligatory link to neal.fun password-game

[offtopic?]

Debbie’s password is “PlutoGoofyMickeyMinnieDaffyBugsThorLosAngles”

She was told that the password needed seven characters and a capital.

The oddest I’ve ever encountered: EXACTLY 15 characters long. No more, no fewer. 15.

Honorable mention: Various online accounts where I used my password manager to generate a long, secure password, which the website accepted without warning or error. I was then locked out because their user management system could not handle such long passwords (had to create a second account with a much shorter password to find that out) 🤣

I volunteer at a local high school and the students password is their birthday, because they are given their account at age 5, in kindergarten, and it’s something you can reasonably expect a 5 year old to remember. Also, the students are not allowed to change their password unless they get “hacked”, which is usually just another student logging into their account and deleting their assignments.

Most absurd was from a job I had in college. This was the password to log into an ancient dumb terminal (literally a monochrome black and green display) on a local-only network that only handled our time clock.

Requirements:

• 8 characters exactly
• You supply the first 4, the system generated the last 4
• I can’t remember if it allowed numbers, but there were definitely no special characters and I think it was also case-insensitive

Required to change password every 30 days.

By far the worst is the costa rican national bank:

• Must be between 8 and 16 characters long
• Must have at least 4 letters and 4 numbers
• Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
• Can’t have vowels or Ñ
• Must not be one of your last 6 passwords
• Must be changed every 90 days
• Also forgot that their website and app try to block password managers and copy and paste

Not so much password requirements as just a completely removed implementation:

To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.

I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd

So she asked me to check that system for more issues

Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…

This is a tip of a very big iceberg there

There is such a thing as good unhinged?

I’m going to need an example here…

12 characters, upper/lower/special requirement, and no more than two occurrences of the same character together. That’s FedEx.

Two other thoughts on the topic:

• Websites/apps/etc should always list their password requirements on the login page to make it easier to determine what password you used for the site in question.
• There are plenty of websites where I literally log in only by using the “forgot password” flow because their password requirements are so ridiculous.

I’ve encountered a few sites that restricted repeating or sequential characters. Of course told after failing the first creation attempt. Makes things like randomly generated passphrases fun to figure out. Particularly when their idea of “sequential” involves both in alpha/numerical order, but also adjacent spacing on the (assumed?) qwerty keyboard!

I add to make a password last fall that had the requirement “numerals or special characters”. A password with both numerals and special characters wouldn’t work.

My favorite is a major credit card company with case-insensitive passwords. They also only allow a small handful of special characters, so the total possible character space is roughly 42 characters. Needless to say, I chose to use a password that was the maximum allowed length (which was sadly also only 32 characters).

Stupid bank app doesn’t allow password managers… and if you hit the enter button to login you get an error message informing you that you need to mouse click on the button.

A company I used to work for is big enough that everyone reading this has heard of it. They had this wonderful security nightmare going on:

When you were hired, the company would issue your user credential with a standard password that was “CompanyName1” and require you to immediately change it at first logon. Everyone knew this password because everyone got it when they were hired.

Password policy required everyone to reset their password every 60 days. Not the worst ever but still pretty aggressive. And with the rise of all the mobile devices connecting with your corp account it was getting to be a worse and worse experience.

Can you guess yet how these two policies are linked in my story?

Well, some of the C-Suite executives didn’t have time for any of these security shenanigans. So they would have their executive support person log into an administrative console and reset the exec’s password every 59 days to the same value that it currently had, thereby bypassing the password re-use filter.

That value they were continuously setting was… “CompanyName1”

I know of at least two executives that were doing this while I worked there.