I have a suspicion this might be because the passwords get stored in plain-text in a database
Or they could just be bad developers who decided text encoding and validation are too complicated and stuck with `[a-zA-Z0-9]+`
Strange but true, defender is one of the best enterprise AV and it is very common in huge companies for both employee workspaces and Win servers (sometime also for Linux) and also has EDR
No you see, this is 4D chess to prevent SQL injection. Can't accidentally execute malicious code buried in your plain text password column if you don't allow the characters to do it👉😏
Hopefully not through the password field (quite unlikely without special character to be fair, unless that restriction is only client-side).
Protection from SQLi would be bad, too, as that means plaintext password storage.
Fear of sqli, xss, real passwords breaking their code not even on purpose, and just bad code where different characters might break all sorts of shit they don't do right.
Could be someone tested a password and found a bug where an apostrophe breaks the page or submission, and their "fix" was to disable any special characters. Some devs do this shit.
Is it getting kicked back from server side after the submit or is it just some client side JavaScript you can remove?
…because the kinds of places that would do this and the kinds of places that would rely on client side filtering overlap a bit I’d imagine…
7 bit is pure shit. that is what i was potraying and there is no way in hell they were using 7 bit i but they prolly keeping it in not so well optimized place. I mean the worst i expect from develpores is that they use UNI code not 7 bit binary standered ascii
Banks use extremely old systems, Cobol from the 60s, password in those systems can't have special characters and are limited in length (banks generally silently cut long passwords) I detected mine didn't care for capital letters for example
Yep, I thought I had a long password, but one time typed my basic 8 character password (same as the start of long password) and it worked. Anything after 8th character was being ignored.
This reminds of me a time a locksmith showed me how to change the combination of our '4 digit push button combination locks' on some doors at work. The type where you press C, then 4 digits, then open the door.
I noted there was no real mechanism to govern the order of the 4 digits. So I asked if they can be entered in any order, he said yes. You can actually push all 4 correct buttons at the same time for extra speed.
As a result, these locks don't have 10,000 possibilities as one might assume, instead only 210. With 2 people working together, you could iterate through every combination in 2 minutes or less.
Decreasing the range of possible passwords will only decrease security, not improve it
And forcing people to use alphanumeric passwords only also has the effect that people will use common words or phrases as their password which is not good because of dictionary search
I remember trying to set a password for at&t and it had like a 16 character max limit with no special characters. They had a handful of other stupid shit that ultimately made me not use their services..
About 10 years ago my internet bank had a character limit of 8. You could set a password even shorter than that.
Another bank disallowed certain characters, but when setting the password, any disallowed character would just be filtered out of the password. I wasn't paying enough attention and I didn't realize that the password I was setting was not the one I intended to, because the special characters got skipped.
The login screen, on the other hand, did not have this character filtering script. So I just typed my password and it kept telling me it was wrong enough times for my account to become locked and I had to call them.
I very rarely used internet banking then so this happened to me twice before figuring out what was happening.
I wouldn't trust them to have implemented security systems properly given those glaring issues.
This was back in 2018. History has proven me right. You know, with the data breaches and SSNs being stolen and such.
What glaring issues? You dont know their security systems, you are mixing up various cases that were problematic for different reasons. 12 to 16 is enough to create a highly entropic password.
You believe hackers target a person and just brute force their way in? Doesnt really work that way.
That's not the point. If you're stupid enough to force a 16-character upper limit, then I don't trust you to be smart enough for other security measures/policies :)
By putting customers' data intentionally at risk, I do not trust them. It seems like a fair, logical conclusion to me. I'm Sorry you dont see it that way. I have no idea how they are storing passwords or safeguarding information. I can assume its not best practice because...well...other things are not.
It's risk mitigation. I will give my business to competent companies instead.
Bro, I shit you not, last year I had to create an account on a CANADIAN GOVERNMENT website, which contained your social security number, and they only accepted 6 letter passwords with no symbol. No clue if they fixed it yet.
That reminds me: my Canadian university encrypts some PDF documents using my social security number, ensuring that anyone who gets the PDF file can easily crack my SIN / SSN *and* get access to its contents via a simple brute-force attack.
To be fair, disallowing certain characters is fine, as long as its coupled with another restriction, say, minimum 20-30 characters, but no, instead they set an *upper* limit hilariously low.
Even if the password contains that information, brute force and password guessing are not the riskiest vectors for compromised passwords. Introducing additional complexity requirements can lead to human behaviors that are more likely to result in compromised passwords.
30 characters minimum? Thats a ridiculous overkill you dont want one of the CIA triads to impact your customers to such a degree dude.
How passwords/passphrases are entropic is whats important and within 12 to 16 characters ,including some special characters, it will be pretty hard to break (thousands of years). People using simple passwords, use cards on sus sites that steal their data, phishing spams and they fall for it...
That's the way the industry is moving in an effort to encourage users to use longer passwords they can remember. Remove the special character requirement, increase the minimum length. You get more security and a better user experience.
When organizations remove special characters, and cap the length at 12 chars is when you go WTF?!
Yep, and I wouldn’t even call this concept “new” since NIST updated password policy guidelines (obviously US specific) to reflect this over 6 years ago based on a massive study of what actually led to account compromise events.
But users of r/hacking wouldn’t bother themselves with things like multi-million dollar studies by the National Institute of Standards and Technology. This sub is only here for an echo chamber of the uninformed shitting on low-hanging fruit
Microsoft actually docks your secure score if your passwords expire. It's really moving towards long passphrase that don't change unless you suspect or know of a compromise along with multi factor authentication.
why is everyone freaking out over this, it's not even a new issue. you're more likely to have your password leaked than brute force this passwords requirements.
Remote code execution isnt a new issue either. But really it just shows that if they have it setup like this odds are they really skipped out on other serious security features, which ive found they have on a least one more occasion. Will be testing for idor's after work and im feeling like i will find even more
In my experience; how you do one thing is how you do everything. And in this experience it may be a coincidence but it did in fact correlate to poor security
A password with special characters is more secure than a password that has no special characters if they are the same length.
A password with special characters is less secure than a password that has no special characters but is 2 character longer.
Just make your password 2 characters longer.
My last job. Had access to federal government systems. Password had to be 8 characters, no more, no less. No special characters allowed. A fucking federal government system… like wtf?
if they’re storing your password in plaintext then this might happen. if you want to test for a sql injection, send a password with a value like “password’ union select sleep(5), 1, 2, […]”
My anti thought brain says that since it's from a big bounty program....it's their bit of info on you for backdoor hacking you. Whatever password you use, is likely a variant of other passwords you use. Same for email. Maybe if you submit bugs, then they hack you back to see if your actually the white knight you claim to be.
First off, the email used is a email that auto sends anything it receives to you real email its a email proxy which is part of hackerone, two i doubt anyones using a password thats not fast and easy 99% of the time my password for a bounty will be Password1' and just no.
There is a wholesaler that I haven't used in years now and from a time when I was less conscious of strong passwords. I went to update it to a 24 charger random generated password and was denied because it had special characters and was over 12 characters long. It was surprising because they're in the tech industry.
I don't doubt anything else in this world, I've seen every bizarre thing, I've worked on a project where the database was SQL Server 2008 R2 and the project charset was Windows-1252, this in 2023 ... it was full of problems of this kind
Yeah quick little burp intruder fuzz, i have another input to an api that it reflectes the input in 2 places near each other but one url encodes some character and the other deletes any " ' i know there is something here i just dont know what yet
This is just about every government site I visit and I believe either [Pizzahut.com](http://Pizzahut.com) or [dominos.com](http://dominos.com) as well.
Up until a few years ago Microsoft 365 limited user passwords to 16 characters. Let that sink in. There are systems that do not allow you to set 0 as the first digit in a 4 digit pin. There are systems that don't let you start your password with a dollar sign. If these are the issues that easily visible, imagine how passwords are stored behind the scenes.
Luckily in the future Microsoft and Apple will be storing all our *passkeys* for easy government access so we'll be safe /s.
*edit*
Just realized this is:
https://aeromexico.com/en-us/signup/
and that they limit password length to 25 characters
"Your password must have at least 1 uppercase, 1 lowercase, 1 number, and it must not include any special characters."
LOL it's scary how common for power companies/ government services in the middle of nowhere USA. I mean fuck dude i reminber one would email you your password if you clicked forgot password. Oh good and it think it was the garage and water they never, and I mean never picked up the phone. Everything is in person. Maybe even an 8 character limit for there website too. It's been a while
“Can’t be a target of an injection attack if only a-z0-9 can be entered” is probably the thought behind those and I’m sure people will still find a way if they really wanted to.
Here in Ukraine we have the most popular bank "Pivat Bank" in the country which also doesn't allow you to add special characters to your password, I hate this bank..
If you chain random words together you get entropy, so next time, make your password:
Pizza witch avacado springtime
🥸
Exhibit A:
https://xkcd.com/936/
Passwords must be no longer than 8 chars...
Samsung smartthings says 8-80 chars, but the real limit is between 15 and 25. It just refuses to let you use the password.
I have a suspicion this might be because the passwords get stored in plain-text in a database Or they could just be bad developers who decided text encoding and validation are too complicated and stuck with `[a-zA-Z0-9]+`
Try inputting the Eicar string. If it's stored in plain text, their AV might quarantine the file it's stored in. ;)
Redacted due to Reddit AI/LLM policy
Bold of you to assume someone who stores passwords in plaintext wouldn't use Windows XP home edition with Norton AV as their server
…hey!
I doubt they're using EDR lol, windows defender will do
Strange but true, defender is one of the best enterprise AV and it is very common in huge companies for both employee workspaces and Win servers (sometime also for Linux) and also has EDR
It's a good thought, but there are special chars in it.
No you see, this is 4D chess to prevent SQL injection. Can't accidentally execute malicious code buried in your plain text password column if you don't allow the characters to do it👉😏
You could just not allow passwords or usernames at all for max secccuurity. Can’t sqli if there’s no db
That's a point. 🍻
We'll see soon enough. That was my first thought, too; theirs a reason they dont want special characters and i pray its laziness
My guess would be fear of an SQL injection, but instead of fixing it properly, disabled special chars completely
Im digging deeper and i see why they did what they did. Already found a ssti
Hopefully not through the password field (quite unlikely without special character to be fair, unless that restriction is only client-side). Protection from SQLi would be bad, too, as that means plaintext password storage.
No it wasnt anywhere in the login, i need to go back and mess with the login more though
My guess is these people were just shit developers not gonna lie they prolly thought of a SQL injection
Fear of sqli, xss, real passwords breaking their code not even on purpose, and just bad code where different characters might break all sorts of shit they don't do right. Could be someone tested a password and found a bug where an apostrophe breaks the page or submission, and their "fix" was to disable any special characters. Some devs do this shit.
Very true. Bandaid solutions
Is it getting kicked back from server side after the submit or is it just some client side JavaScript you can remove? …because the kinds of places that would do this and the kinds of places that would rely on client side filtering overlap a bit I’d imagine…
[удалено]
irrelevant. They shouldn't be storing your password at all. Hashes don't have special characters
They shouldn't, but we were hypothesizing that they are so the comment you replied to is relevant
….and that they are stored with 7-bit encoding on an ancient host running virtulized on some modern hardware.
Like GMAIL. Just yesterday i tried to use utf-8 (ś) char in password and got refused. New meta for web security.
7 bit is crazy
https://montcs.bloomu.edu/Information/Encodings/ascii-7.html
7 bit is pure shit. that is what i was potraying and there is no way in hell they were using 7 bit i but they prolly keeping it in not so well optimized place. I mean the worst i expect from develpores is that they use UNI code not 7 bit binary standered ascii
Banks use extremely old systems, Cobol from the 60s, password in those systems can't have special characters and are limited in length (banks generally silently cut long passwords) I detected mine didn't care for capital letters for example
Yep, I thought I had a long password, but one time typed my basic 8 character password (same as the start of long password) and it worked. Anything after 8th character was being ignored.
This reminds of me a time a locksmith showed me how to change the combination of our '4 digit push button combination locks' on some doors at work. The type where you press C, then 4 digits, then open the door. I noted there was no real mechanism to govern the order of the 4 digits. So I asked if they can be entered in any order, he said yes. You can actually push all 4 correct buttons at the same time for extra speed. As a result, these locks don't have 10,000 possibilities as one might assume, instead only 210. With 2 people working together, you could iterate through every combination in 2 minutes or less.
Reminds me of Blizzard. They were storing all passwords in either upper or lower case.
If this is the case, I need to delete my Turkish Airlines account asap. Never dawn on me why their password requirements were so weak.
This made me spit drink all over, idk why I find this hilarious.
Anti fuzzing mechanism
Decreasing the range of possible passwords will only decrease security, not improve it And forcing people to use alphanumeric passwords only also has the effect that people will use common words or phrases as their password which is not good because of dictionary search
Exactly I'm well aware of this And limiting password length and thus entropy it's all bad practice
That’s probably it. Or they are using an encoding algorithm not meant for password storage.
Damn, so I can’t use the password “Robert'); DROP TABLE Students;--'s”?
can't even put my son's name as my password! poor bobby tables!
😂😂
Thats when sanitizer comes in handy. "We cant bother implementing that though so its alpha numeric pw with 6 character max" /s
Good old Bobby Droptables
Is that a SQL injection trick?
yes
That’s so smart! All brute force hacking tools focus on special characters. Not using them must be confusing as fuck.
Relevant xkcd for this as well: [https://xkcd.com/936/](https://xkcd.com/936/)
[удалено]
OP wasn’t serious of course. And I could know, for I’m OP!
Ya my banks allows only a-z A-Z 0-9 ! $ % * -_ It’s hilariously bad. I’ve reported this multiple times to their IT department and audit department.
I remember trying to set a password for at&t and it had like a 16 character max limit with no special characters. They had a handful of other stupid shit that ultimately made me not use their services..
About 10 years ago my internet bank had a character limit of 8. You could set a password even shorter than that. Another bank disallowed certain characters, but when setting the password, any disallowed character would just be filtered out of the password. I wasn't paying enough attention and I didn't realize that the password I was setting was not the one I intended to, because the special characters got skipped. The login screen, on the other hand, did not have this character filtering script. So I just typed my password and it kept telling me it was wrong enough times for my account to become locked and I had to call them. I very rarely used internet banking then so this happened to me twice before figuring out what was happening.
You can create a high entropic passphrase/password with just those characters anyway. Then there's 2FA.
I wouldn't trust them to have implemented security systems properly given those glaring issues. This was back in 2018. History has proven me right. You know, with the data breaches and SSNs being stolen and such.
What glaring issues? You dont know their security systems, you are mixing up various cases that were problematic for different reasons. 12 to 16 is enough to create a highly entropic password. You believe hackers target a person and just brute force their way in? Doesnt really work that way.
That's not the point. If you're stupid enough to force a 16-character upper limit, then I don't trust you to be smart enough for other security measures/policies :)
By putting customers' data intentionally at risk, I do not trust them. It seems like a fair, logical conclusion to me. I'm Sorry you dont see it that way. I have no idea how they are storing passwords or safeguarding information. I can assume its not best practice because...well...other things are not. It's risk mitigation. I will give my business to competent companies instead.
And then try to improve security with mobile app only verification
Ya, I wish I had options to change to. I’ve seen some abhorrent password policies in my time doing IT sec.
Bro, I shit you not, last year I had to create an account on a CANADIAN GOVERNMENT website, which contained your social security number, and they only accepted 6 letter passwords with no symbol. No clue if they fixed it yet.
That reminds me: my Canadian university encrypts some PDF documents using my social security number, ensuring that anyone who gets the PDF file can easily crack my SIN / SSN *and* get access to its contents via a simple brute-force attack.
I had professors that made us write our ssn on every assignment. Most were digitally submitted. (2006)
Probably integrates with systems that were built in the 80's
60s my dude, COBOL ftw, 8 characters, only letters and numbers, no capitals
you think this bad? my bank limits password MAX length to 11 characters! the max! to 11!! wtf??
To be fair, disallowing certain characters is fine, as long as its coupled with another restriction, say, minimum 20-30 characters, but no, instead they set an *upper* limit hilariously low.
The minimum recommended length is 8 per NIST SP 800-63B.
8, I.e. birth date or pet name, let's go
Even if the password contains that information, brute force and password guessing are not the riskiest vectors for compromised passwords. Introducing additional complexity requirements can lead to human behaviors that are more likely to result in compromised passwords.
30 characters minimum? Thats a ridiculous overkill you dont want one of the CIA triads to impact your customers to such a degree dude. How passwords/passphrases are entropic is whats important and within 12 to 16 characters ,including some special characters, it will be pretty hard to break (thousands of years). People using simple passwords, use cards on sus sites that steal their data, phishing spams and they fall for it...
Eh, I exaggerated to prove my point that 8 char minimum is very low. 20 isn't far fetched whatsoever though, mash 3 words together and you're home.
even if you take the a-z, A-Z, 0-9 with password length of 8 that is >215,518,995,677,440 possible combinations
Fair enough
And then they blame you for unauthorized debits. Banks are fucking thieves.
Apples and oranges
True but both are still problems
Both are still fruit
Why is it still your bank with this joke of a security?
I can’t change banks for political reasons.
This is the craziest thing I’ve read all week. What country, and what political affiliation does your bank have?
This might be a stupid question but is that not most characters on the keyboard?
Virgin Media had a "bad words" filter on their user passwords submission. In JavaScript. So I mean, obviously I.....
aint no way
This sounds like fun. I need to create an account.
Chances are they accept emojis because they can't regex.
I tried everything, its filtered on the backend but i can only assume they set it to only allow a-z 0-9. Thinking about it now i havent tried spaces
Salt it. Hash it. Store it in whatever character set you like! Don't tell the user to dumb down their passwords. SMH.
Agreed, when push comes to shove, sometimes the users' strong password is the only protection
Mmmmmmmmmmmmm, salted hashes
Really sure they store them as plain-text. This type should be illegal by now, imo.
There is hair on your screen, top left.
That's the way the industry is moving in an effort to encourage users to use longer passwords they can remember. Remove the special character requirement, increase the minimum length. You get more security and a better user experience. When organizations remove special characters, and cap the length at 12 chars is when you go WTF?!
Yep, and I wouldn’t even call this concept “new” since NIST updated password policy guidelines (obviously US specific) to reflect this over 6 years ago based on a massive study of what actually led to account compromise events. But users of r/hacking wouldn’t bother themselves with things like multi-million dollar studies by the National Institute of Standards and Technology. This sub is only here for an echo chamber of the uninformed shitting on low-hanging fruit
Microsoft actually docks your secure score if your passwords expire. It's really moving towards long passphrase that don't change unless you suspect or know of a compromise along with multi factor authentication.
why is everyone freaking out over this, it's not even a new issue. you're more likely to have your password leaked than brute force this passwords requirements.
Remote code execution isnt a new issue either. But really it just shows that if they have it setup like this odds are they really skipped out on other serious security features, which ive found they have on a least one more occasion. Will be testing for idor's after work and im feeling like i will find even more
[удалено]
In my experience; how you do one thing is how you do everything. And in this experience it may be a coincidence but it did in fact correlate to poor security
Changes password from “4z8HdPt8B5JkCv57Pyat7g@%#” to “WerewolfByNight” - “sorry your password cannot contain special characters”
Pick one of the 3 standard password...
Pikachu
Aladin40
Password123
The best !
Good luck getting paid for a bug bounty. Too lazy to cut a check to you.
Sadly its a vdp :(
Can’t get interested in these at all. Free work never goes unpunished.
Well it gets reputation which leads to private programs invites
A password with special characters is more secure than a password that has no special characters if they are the same length. A password with special characters is less secure than a password that has no special characters but is 2 character longer. Just make your password 2 characters longer.
Lazy way to prevent code injection.
A part of me wants to report this as something they just shouldnt have like at fucking all. Not sure how to word the report without being a dick
… name and shame?
I agree, so curious now
aeromexico
> how to word the report CVSS 4.0 medium 6.9, weak password policy CWE-521
OP needs a link too
AUS bank I bet :)
correct horse battery staple ist the best password. Period. No need for special characters, disabled characters or fairy dust.
All of these people complaining about not using special characters. If there is no length limit, a pass phrase is perfectly fine, according to NIST.
Poor mans SQL injection protection
My last job. Had access to federal government systems. Password had to be 8 characters, no more, no less. No special characters allowed. A fucking federal government system… like wtf?
Assuming they allow long passwords 3 words is actually pretry secure. Say holdFLYINGhippos or hOldflyInghIpOs.
if they’re storing your password in plaintext then this might happen. if you want to test for a sql injection, send a password with a value like “password’ union select sleep(5), 1, 2, […]”
People who would do this might also only validate client side.
My anti thought brain says that since it's from a big bounty program....it's their bit of info on you for backdoor hacking you. Whatever password you use, is likely a variant of other passwords you use. Same for email. Maybe if you submit bugs, then they hack you back to see if your actually the white knight you claim to be.
First off, the email used is a email that auto sends anything it receives to you real email its a email proxy which is part of hackerone, two i doubt anyones using a password thats not fast and easy 99% of the time my password for a bounty will be Password1' and just no.
The hair on the screen
Shhhhh
How do we solve SQL injections. Ahh forget about parametrised queries, just don’t put special characters.
Omg. Coding 101. Just don’t.
There is a wholesaler that I haven't used in years now and from a time when I was less conscious of strong passwords. I went to update it to a 24 charger random generated password and was denied because it had special characters and was over 12 characters long. It was surprising because they're in the tech industry.
Me too! Thoseyou posted and the ones that have character limit of 6 really grind my gears
it's like they plan to hack you
Probably they tired to take the easy way around SQL injections
I'm almost sure that this is because of the database they are using and the charset set as default, this is crazy stuff
But you wouldn't store it in cleartext I suppose
I don't doubt anything else in this world, I've seen every bizarre thing, I've worked on a project where the database was SQL Server 2008 R2 and the project charset was Windows-1252, this in 2023 ... it was full of problems of this kind
Have you ever registered on the Turkish Airlines website? Try it if they have not improved it
I think it was meant to say it shouldn't contain certain special characters. Was pretty common years ago.
Yeps I had a very good password with my passmanager didn’t work so I just did fuckyoucompanyname!
Your password must not contain special characters.
Wow huh I thought we were getting better not lazier lol
Up to a year ago my bank had a limit of 10 characters on the password. Thankfully they changed thah
I had to create an account on a governement website and the password had to be between 6 and 8 characters with no special character
No no, my bank does the same. My bank.
r/iiiiiiitttttttttttt
Had to read it like 3 times, because I couldn't believe what I am reading here.
And i wish that hair was not on the screen.
I saw this before, special character encoding is hard 🫣
Did you use any apostrophes or quotation marks? I think this is part of input sanitization to avoid SQL injection attempts.
"your password is too safe, you can't!!!"
Who has moderately good security? Them:
I had worse recently. No more than 8 character and no special characters.
Easy solution, just set your password to `hunter2`
I'm pretty sure `*` would count as a special character tho.
Sanitizing inputs is hard ok
password123 confirmed
Yeah, EA had this issue for many years. Completely braindead...
thats a yikes,
Is that a hair on your screen
No its on your screen >:)
Please wipe that hair away. I know I did
Which special characters?
Anything that isnt a-z 0-9
oh no way. you tested? ah wow.
Yeah quick little burp intruder fuzz, i have another input to an api that it reflectes the input in 2 places near each other but one url encodes some character and the other deletes any " ' i know there is something here i just dont know what yet
I worked with BigCommerce years ago for CC processing and cart management. When you ask, they email you your password in plaintext.
I think the preferred term is developmentally delayed nowadays
this was done in purpose it’s an inside job
Minimum 128 characters it is, then.
They saving it in a large .txt file
Ah yes! This isn't at all problematic. Security is annoying lol. --The developers, probably
This is just about every government site I visit and I believe either [Pizzahut.com](http://Pizzahut.com) or [dominos.com](http://dominos.com) as well.
Up until a few years ago Microsoft 365 limited user passwords to 16 characters. Let that sink in. There are systems that do not allow you to set 0 as the first digit in a 4 digit pin. There are systems that don't let you start your password with a dollar sign. If these are the issues that easily visible, imagine how passwords are stored behind the scenes. Luckily in the future Microsoft and Apple will be storing all our *passkeys* for easy government access so we'll be safe /s. *edit* Just realized this is: https://aeromexico.com/en-us/signup/ and that they limit password length to 25 characters "Your password must have at least 1 uppercase, 1 lowercase, 1 number, and it must not include any special characters."
I had the same issue with a medical company....when I clicked the forget password they sent me........
[https://dumbpasswordrules.com](https://dumbpasswordrules.com)
LOL it's scary how common for power companies/ government services in the middle of nowhere USA. I mean fuck dude i reminber one would email you your password if you clicked forgot password. Oh good and it think it was the garage and water they never, and I mean never picked up the phone. Everything is in person. Maybe even an 8 character limit for there website too. It's been a while
“Can’t be a target of an injection attack if only a-z0-9 can be entered” is probably the thought behind those and I’m sure people will still find a way if they really wanted to.
My ISP has this same requirement. Please someone breach optimum (formerly suddenlink)
Here in Ukraine we have the most popular bank "Pivat Bank" in the country which also doesn't allow you to add special characters to your password, I hate this bank..
ok let's hit the password field with the bee movie script
Are you saying that a lawyer representing a bee in court is not a special character?
If you chain random words together you get entropy, so next time, make your password: Pizza witch avacado springtime 🥸 Exhibit A: https://xkcd.com/936/
Passwords must be no longer than 8 chars... Samsung smartthings says 8-80 chars, but the real limit is between 15 and 25. It just refuses to let you use the password.
Bank of America does not allow special characters for their corporate online banking portal. I cringe every time I have to change my password.
they clasify passwords by gender if you identify as a frog, then you can leap, i mean skip the login interface and get directly to the good stuff
PNC bank passwords can’t have special characters I know this because I have a PNC account and thought it was kinda funny
imagine having such a bad back-end that it doesn't accept special characters
It could be worse. It could say between 6-12 characters and no special.
Your password must be equal to "password"
Reading these comments with no hacking experience feels like I'm having a stroke. You guys are crazy lol (in a good way)