Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
It’s the worst when they do that and have difficult restrictions on passwords.
One place I worked at had limits like “no more than two letters back-to-back”, “no more than two numbers back-to-back and no sequential numbers”.
The rules were available on the password reset screen.
The minimum was only something like 8 characters, so I have to wonder how many people had a1b2c3d? for a password.
Feed those rules to a password cracker and it’d be able to get in easily.
To their credit, I think they did support passwords that were maybe 64 characters long. But after they introduced those weird requirements (probably because some VIPs had stupid passwords like their names + birth year?), I just started hitting the character minimum because I’d have to manually type it in at least once.