evildojo

Password Length Offenders

A WIP list of companies who engage in bad password practices


Update (3/14/2018): Happy New Year again! It has been a while since I've gone through and updated passwords, but Paypal STILL has not updated their character maximum from 20 characters since before my update in July 2016, just 2 updates ago.

Paypal password field

Paypal password field


Update (3/2/2017): Happy New Year! Geico is not only limiting to 16 characters, but their entropy calculator is broken and not working correctly. Enjoy!

Geico password field

Geico password field

GRC entropy calculator

GRC entropy calculator


Update (7/20/2016): As much as I hate Paypal, they are looking clean nowadays. Too bad their passwords are limited to 20 characters. Oh well.

Paypall password field

Paypall password field


Update (3/31/2016): So, I'm in the mood for some Netflix and chill, when suddenly a wild password box appears!

Netflix password field

Netflix password field

50 characters is a weird number, and, while more secure than, say, 16, still suggests that Netflix is doing something improperly behind the scenes.


Update (02/13/2016): While no error message exists and thus I did not take a screenshot, coastal.com's registration page only allows for a maximum of 16 characters in your password.


Update (11/13/2015): livejournal.com, one of the oldest services I have used on the Internet, has a better-than-most password maximum character limit of 30 characters, and some fairly reasonable requirements, but it still has a maximum character limit.

Livejournal password field

Livejournal password field

Meanwhile, Navy Federal Credit Union's standards are incredibly poor in comparison, having a password maximum character limit of 16 characters. Jesus Christ!

NFCU password field

NFCU password field


Update (10/19/2015): usajobs.gov's account password requirements...still don't understand why the limit on number of characters, or the limited subset of allowed special characters...

usajobs.gov password field

usajobs.gov password field


Update (9/30/2015): Just confirmed that Blizzard's Battle.net account registration / password reset has a maximum limit of 16 characters.

Blizzard battlenet password field

Blizzard battlenet password field


Update (7/21/2015): Just found out that the GRE new account registration page has a maximum limit of 16 characters.

GRE password field

GRE password field


Update (6/7/2015): Just found out that League of Legends has a maximum limit of 16 characters while signing up for an account. In addition, the password field on the signup form does not have a character limit. This is a minor point, but should be considered regarding unification of engineering processes in the design phase.

LOL password field

LOL password field


Update (5/25/2015): Found out that StumbleUpon has a maximum limit of 16 characters while signing up for an account. No warning. No informational text. Just a hard limit set in the textfield.

Stumbleupon password field

Stumbleupon password field


In the last few years, I've become interested in computer security and practical ways to maintain control over personal information. One of the simplest ways to do this is to use long passwords, usually composed of a passphrase that allows for a high amount of information entropy while being easy to remember. The passwords that I use are often 25+ characters...

That is, when websites allow for me to use them.

I decided late in January of this year, a few days after I was let go from my previous employer, to begin cataloging websites and companies that use bad password practices, such as having a maximum password length! I'd like to focus on maximum password lengths in particular, as this disrupts my personal ability to maintain a reasonable level of security with the services that I use regularly. Many of these companies are public-facing corporations with very large user bases. Companies that use maximum password lengths, in particular very small ones such as those I am about to list, not only open themselves up to attack, but deserve to be punished for failing to incorporate reasonable security practices in their organizations.

And now, for the list:


Comcast: Maximum length of 16 characters

Comcast: Maximum length of 16 characters

Comcast: Maximum length of 16 characters


Starbucks: Maximum length of 15 characters

Starbucks: Maximum length of 15 characters

Starbucks: Maximum length of 15 characters


Virgin Mobile: Maximum PIN length of 6 digits

Virgin Mobile: Maximum PIN length of 6 digits

Virgin Mobile: Maximum PIN length of 6 digits


Geico: Maximum length of 16 characters

Geico: Maximum length of 16 characters

Geico: Maximum length of 16 characters


connect.myflorida.com: uses SSN and maximum PIN length of 4 digits

connect.myflorida.com: uses SSN and maximum PIN length of 4 digits

connect.myflorida.com: uses SSN and maximum PIN length of 4 digits


H&R Block: Maximum length of 15 characters

H&R Block: Maximum length of 15 characters

H&R Block: Maximum length of 15 characters


Verified By Visa: I don't have an image for this one, and this might be bank-specific, but the version I've used has a password maximum of 10 characters.


Autodesk / Autocad 360 for Android: Maximum length of 12 characters

Autodesk / Autocad 360 for Android: Maximum length of 12 characters

Autodesk / Autocad 360 for Android: Maximum length of 12 characters


I'd like to consider this list a work in progress, so if you have any contributions that you'd like to see documented, please let me know by any of my available media (Facebook, Twitter, Gmail, IRC, etc), preferably with a screen shot from the website as proof, and I'll get them up here as they become available.


I think at this point, you get the picture.

We are badly in need of a world-wide revolution in many domains, and this being just one of them.

It is 2015. Why the fuck does anyone have password length maximums?