What login rate-limiting, account lock-out, and password expiry policies do they have though?<p>Based on the password requirements, they have something like 2.6 trillion possible passwords. If your account is locked out after 3 failed login attempts, if they limit to one attempt per second, or if they have a forced password change every month, etc. there are a number of ways to tighten this up.<p>Their password policy is anachronistic, and this /could/ be a symptom of other issues. However by itself, it seems more like a usability issue than a security issue.<p>In fact, they could be attempting to discourage password reuse with other sites. That would be a security bonus if it worked (I doubt it works).