They're not necessarily storing passwords in the clear (though the Texas Secretary of State does[1], so it wouldn't surprise me).<p>For example, when updating a password on Facebook, they check to see if your new password is similar to your previous one by creating several variants of the new password, hashing them, and seeing if the hash matches any of your old password hashes.<p>[1] <a href="http://plaintextoffenders.com/post/68152196480/sos-state-tx-us-government-website-businesses" rel="nofollow">http://plaintextoffenders.com/post/68152196480/sos-state-tx-...</a>
Unfortunately these asinine password requirements occur quite often. It's basically an indication that the site itself has poor security, and they're requiring a strong password to mitigate that risk. Also, if they are storing the password in plain-text, then it doesn't really matter how many fucking special characters your users have in their passwords :)<p>Also, users will just write down the password.
It's kind of a fun working out how many passwords that is.<p>So letters + numbers + 3 special characters. Our first and last positions can't be special characters, and we can't have the same letters concurrently, so we're in the ballpark of:<p>62^2 * 64^6 = 264,157,668,573,184 passwords<p>However, passwords <i>must</i> contain a letter, number, and special character. This means that we can eliminate the entire letters + numbers set, the numbers + specials set, and the letters + specials set:<p>(62^2 * 64^6) - (62 * 61^7) - (10^2 * 12^6) - (52^2 * 54^6) = 2,261,873,997,098 - Did I get that math right?<p>That's still a decently large space, but it's small enough to be attackable even if the passwords are hashed.
> If you have user ID or password problems, use the following address (place in the “To” field) to send an e-mail requesting assistance: websec.adminp@cs.oag.state.tx.us<p>This poor guy.