Password security limitations of various websites

After reading , I decided to go through and do a nice password cleansing. After a few years of “good password policies” being trumpeted around, I thought I’d find a majority of website accepting large (> 16-digit) alpha-numeric-symbolic passwords. This was a terrible assumption, and as I’ve been going through and finding these limitations, I’ve been sending complaints to each customer service department. Just a note, the passwords I’m trying are more than 20 characters with symbols, numbers, and uppercase and lowercase letters. Here’s a summary:

Site Notes Result
Amazon Allows the password. Gold Star!
Discover Card Allows the password. Gold Star!
Chase Doesn’t allow symbols.
Ally 16 character maximum!
Fidelity 12 character maximum, no symbols!
Instructables Allows the password. Gold Star!
LinkedIn Allows the password. Gold Star!
Kiva Allows the password. Gold Star!
Yahoo Allows the password. Gold Star!
Mt. Gox Allows the password. Gold Star!
Dwolla Allows the password. Gold Star!
CampBX Allows the password. Gold Star!
Paypal 20 character maximum!
Allstate Passwords must be 6 to 10 characters, certain symbols not allowed (<, >)!
Geico 16 character maximum! Only allows certain special characters!
Github Allows the password. Gold Star!
Site5 Allows the password. Gold Star!
IMDB Allows the password. Gold Star!
Ebay 16 character maximum!
Etrade Strange invalid character error, not a stated limitation. Further investigation shows no special characters are allowed.
Newegg Allows the password. Gold Star!
Netflix 4-10 characters.

The really alarming part is most of the failures I ran into had to do with banking/money. Why do these sites put limits on user password security? It seems like that’s the last place you would want these kinds of limitations. It’s hilarious that sites like IMDB, which I don’t expect strong security from whatsoever, allow me to use more secure passwords than my bank accounts. I especially love this from Etrade – they don’t specify what character was invalid, or that there are any invalid characters that could be entered:

Upon further investigation, I found out they don’t allow special characters.

I also love how Netflix apparently allows a 4-character password! That’s secure, huh!


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>