One Site Is Highlighting the Internet’s Dumbest Password Rules

The appropriately named Dumb Password Rules highlights 286 sites with maddening password restrictions

Close up on screen of website sign in button
Your password must be between 8-20 characters with randomly infuriating restrictions
SEAN GLADWELL / Getty

If you’ve ever gone to, well, any website ever, you’ve probably been prompted to open an account and create a username and password. And every site/company has a different methodology for creating those log-ins, with varying rules about capital letters, special characters and password length that make the sign-in process burdensome (and often no safer). This is why we salute the existence of Dumb Password Rules.

DPR was created by a software engineer who goes under the username duffn. “I get very annoyed when I encounter a dumb password rule in the wild,” they write. “One day, I had enough and wanted to let everybody know how dumb these rules are.” (H/t View From the Wing for highlighting the site and bringing it to our attention.)

Reminder: Don’t Use Your Pet’s Name as a Password
Here are a few best practices for keeping your online data safe for World Password Day, at least before we reach our password-less future

There are currently 286 sites on Dumb Password Rules, running the gamut from banking to travel to health. Each one features a screenshot of the site log-in and a brief explanation of the password, uh, dumbness. For example: Ameli, a French healthcare site, requires the following for creating a password:

  • The password must be more than 8 characters
  • But you cannot use more than 13 characters
  • You can only use digits
  • You cannot use your birthdate or your login
  • You cannot use a sequence of digits (if your password happens to contain 56 or 89 it will be rejected)
  • You cannot repeat the same character (if your password contains 22 or 55 it will be rejected)

Not all of the sites listed are as egregious as that one, but most are certainly annoying — Bank of America, for instance, requires a number, uppercase letter, lowercase letter and limits (but doesn’t completely ban) special characters for its 8-20 character password.

Keeping your information safe is important, but frustrating customers at the same time shouldn’t be the goal. For users, there are plenty of good tips on how to pick a safe password, but if sites aren’t going to allow some of these best practices, they’re not working in your best interest. (In any case, do get a password manager; we personally like Dashlane, but there are others.)

So, what if you’re one of the companies that made this list and want to be removed? Per duffn: “If you’ve fixed your dumb password rule, awesome! I’ll happily remove entries that have been corrected. Please open a pull request to have your entry removed on GitHub.”

The InsideHook Newsletter.

News, advice and insights for the most interesting person in the room.