Password Length Offenders

A WIP list of companies who engage in bad password practices

Table of Contents

Western Union 2021

Update (7/29/2021):

2021

Mom’s dead

And @westernunion’s max password length is literally fucking 16 characters

Y’all are a bunch of dumbasses, gonna get ya ass whooped

Western Union password field

Update (5/25/2021): I thought this post was lost to the sands-of-time, but here it is! If you enjoyed this post, please consider signing up to my Patreon, or requesting me for Computer Science, programming, and Linux tutoring on the Wyzant platform.

Paypal 2018

Update (3/14/2018): Happy New Year again! It has been a while since I’ve gone through and updated passwords, but Paypal STILL has not updated their character maximum from 20 characters since before my update in July 2016, just 2 updates ago.

Paypal password field

Geico 2017

Update (3/2/2017): Happy New Year! Geico is not only limiting to 16 characters, but their entropy calculator is broken and not working correctly. Enjoy!

Geico password field
GRC entropy calculator

Paypal 2016

Update (7/20/2016): As much as I hate Paypal, they are looking clean nowadays. Too bad their passwords are limited to 20 characters. Oh well.

Paypal password field

Netflix 2016

Update (3/31/2016): So, I’m in the mood for some Netflix and chill, when suddenly a wild password box appears!

Netflix password field

50 characters is a weird number, and, while more secure than, say, 16, still suggests that Netflix is doing something improperly behind the scenes.

Coastal.com 2016

Update (02/13/2016): While no error message exists and thus I did not take a screenshot, coastal.com’s registration page only allows for a maximum of 16 characters in your password.

Livejournal 2015

Update (11/13/2015): livejournal.com, one of the oldest services I have used on the Internet, has a better-than-most password maximum character limit of 30 characters, and some fairly reasonable requirements, but it still has a maximum character limit.

Livejournal password field

Meanwhile, Navy Federal Credit Union’s standards are incredibly poor in comparison, having a password maximum character limit of 16 characters. Jesus Christ!

NFCU password field

usajobs.gov 2015

Update (10/19/2015): usajobs.gov’s account password requirements…still don’t understand why the limit on number of characters, or the limited subset of allowed special characters…

usajobs.gov password field

Blizzard battle.net 2015

Update (9/30/2015): Just confirmed that Blizzard’s Battle.net account registration / password reset has a maximum limit of 16 characters.

Blizzard battlenet password field

GRE 2015

Update (7/21/2015): Just found out that the GRE new account registration page has a maximum limit of 16 characters.

GRE password field

League of Legends 2015

Update (6/7/2015): Just found out that League of Legends has a maximum limit of 16 characters while signing up for an account. In addition, the password field on the signup form does not have a character limit. This is a minor point, but should be considered regarding unification of engineering processes in the design phase.

LOL password field

StumbleUpon 2015

Update (5/25/2015): Found out that StumbleUpon has a maximum limit of 16 characters while signing up for an account. No warning. No informational text. Just a hard limit set in the textfield.

Stumbleupon password field

In the last few years, I’ve become interested in computer security and practical ways to maintain control over personal information. One of the simplest ways to do this is to use long passwords, usually composed of a passphrase that allows for a high amount of information entropy while being easy to remember. The passwords that I use are often 25+ characters…

That is, when websites allow for me to use them.

I decided late in January of this year, a few days after I was let go from my previous employer, to begin cataloging websites and companies that use bad password practices, such as having a maximum password length! I’d like to focus on maximum password lengths in particular, as this disrupts my personal ability to maintain a reasonable level of security with the services that I use regularly. Many of these companies are public-facing corporations with very large user bases. Companies that use maximum password lengths, in particular very small ones such as those I am about to list, not only open themselves up to attack, but deserve to be punished for failing to incorporate reasonable security practices in their organizations.

And now, for the list:

Comcast 2015

Comcast: Maximum length of 16 characters

Comcast: Maximum length of 16 characters

Starbucks 2015

Starbucks: Maximum length of 15 characters

Starbucks: Maximum length of 15 characters

Virgin Mobile 2015

Virgin Mobile: Maximum PIN length of 6 digits

Virgin Mobile: Maximum PIN length of 6 digits

Geico 2015

Geico: Maximum length of 16 characters

Geico: Maximum length of 16 characters

connect.myflorida.com 2015

connect.myflorida.com: uses SSN and maximum PIN length of 4 digits

connect.myflorida.com: uses SSN and maximum PIN length of 4 digits

H&R Block 2015

H&R Block: Maximum length of 15 characters

H&R Block: Maximum length of 15 characters

Visa 2015

Verified By Visa: I don’t have an image for this one, and this might be bank-specific, but the version I’ve used has a password maximum of 10 characters.

Autodesk/Autocad 360 2015

Autodesk / Autocad 360 for Android: Maximum length of 12 characters

Autodesk / Autocad 360 for Android: Maximum length of 12 characters

I’d like to consider this list a work in progress, so if you have any contributions that you’d like to see documented, please let me know by any of my available media (Facebook, Twitter, Gmail, IRC, etc), preferably with a screen shot from the website as proof, and I’ll get them up here as they become available.

I think at this point, you get the picture.

We are badly in need of a world-wide revolution in many domains, and this being just one of them.

It is 2015. Why the fuck does anyone have password length maximums?