Stop restricting my password - Help these sites get better security.

I was thinking of creating a list like this of all the sites that (most likely) store passwords as plain text. I'd get the list by doing a password reminder and seeing if they email me my password.<p>Would be cool if that was added as a column here. I'd submit some sites.

One example of extreme login security that I've seen is with treasurydirect.gov. Password: min 8 char, 1 letter, 1 number, 1 special. Mailed key card: 7 x 5 alpha numeric grid with a random 3 char series ((A2, G5, F5) for example), 1 out of 3 sets of 10 digit numbers on your key card, 3 security questions on unrecognised computers (out of around 10 - you must remember which 3 questions you set and answer them appropriately), and to top it all off, no keyboard entry - you have a randomly ordered soft keyboard that must be clicked for all password and keycard entries.<p>Personally, I think it's overkill, but I'll admit that I wouldn't envy anybody tasked with getting someone's account.

Charles Schwab takes long password but truncates them at 8 characters without telling you. I discovered this the hard way by trial and error when linking it in Quicken.

I like the idea. I think it would be nice to also include sites that store passwords in plain text. I always email sites if they send me my password in plain text. Half the time they reply and say it's not really so bad. Half the time they reply and clearly don't understand why I would even care. I've yet to see anyone admit that it's a problem. If we get could get that solved, that would really be nice.

ING's isn't a password it's a PIN number. That's why you can't use any letters or special characters.

I believe that the logic behind ING direct is that by requiring you to use a mouse to click out your password it prevents key sniffers. And they show you a keypad being a bank.

There's really no point in restricting length or non-alphanumeric characters. They should be storing a salted hash, not the actual passwords, so the content of the password shouldn't matter.<p>It's really just laziness and incomptence on the part of the programmers.

<p><pre><code> Google, MSN, Facebook, Twitter - They all already allow you to use anything you want for your password. </code></pre> This is not strictly true - while Google et al might have a large set of permitted characters, there are nearly always restrictions on length. Google, for example, requires that their passwords be at least 8 characters long. While a long password does reduce brute-force attacks and shoulder-surfing, it nevertheless is a restriction.

American Express is the worst offender. They don't accept my usually long passwords/passphrases so I had to conjure up a shorter password just for their system.

Yeah, ING Direct's password scheme is pretty lame. I assume the idea was to use a simple numbers-only on-screen keyboard to avoid keyloggers. Seems silly, since if malware were to target them it would obviously just track clicks instead.<p>Though to be fair, they ask additional security questions if you haven't previously logged in from that browser.

Just 2 days ago, I got a call from Natwest bank (UK) from the credit card fraud team. Again. I duly called back and they explained that an attempt to use my card online failed at the Secure Code step. I explained to the caller that Secure Code is a piece of rubbish because it uses very weak passwords (alphanumeric only, 8 chars long) and it's the equivalent of protecting my money by wrapping it in a piece of paper. I refuse to sign up to it or use because it is so rubbish.<p>He couldn't care less. So I asked him to file a formal complaint about this point. I doubt he did.<p>For those that want to know more about InSecureCode: <a href="http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html" rel="nofollow">http://www.mastercard.com/us/personal/en/cardholderservices/...</a>

Erm, Delta sure seems like an odd member of the list, doesn't it?<p>They require you to enter a SkyMiles number and a PIN, along with your last name... all of which is certainly not very secure information. But ultimately, all that gives you access to is viewing a person's SkyMiles account. It hardly seems to make sense alongside banking sites.

How timely! Just last night I was frustrated by a stupid policy when changing my online banking password (my bank is now listed). I think his once-a-month policy could stand to be more aggressive, though.

I can upvote one item as much as I want if I clear my cookies.<p>Voted for Amex (twice). I'm always annoyed that the 8-character limit prevents me from using my normal password + PwdHash.

The postbank (in the Netherlands) still have case insensitive passwords, decreasing password complexity by orders of magnitude..

So ING direct only lets you use numbers? Is there more authentication steps than just a login / pin combo?

Hey business owner. I see that you're using a faulty window lock on your back window and I'm concerned about my data. I took the liberty of posting on a town bulletin board details of this faulty lock along with other local businesses that have the same lock in hopes that the townspeople will pressure you into improving your window lock system.

you should add a feature to flag duplicates - Westpac is listed multiple times.