This is a rant about dumb password policies enforced by some websites or apps. If you see these password rules forced to you, try to stay away if possible.
Can’t use special characters, or use a pre-defined special characters only
Are you storing the password in plaintext that your database will break when have special characters?
Password can’t be longer than X characters
Most probably storing the password in plaintext and their database column is limited to those characters limit.
Password expire every X months, without notice, suddenly can’t login. Reset it and can’t use the last 5 passwords
They store your previous passwords, either encrypted or plaintext.
The biggest red flag is when they try and stop you from pasting your password (or anything else for that matter) breaking password managers.
There are years-long arguments on social media with companies who do this with actual security experts telling them they’re hurting security (including referencing organisations like the UK’s National Cyber Security Centre) and their only response is “we don’t allow pasting for security reasons” but they can never explain how it helps security - because it doesn’t. It drives me mad.
I had one recently that (when changing / creating the password) would allow you paste into the “new password” field but not the “confirm password” field. Super annoying.
I just opened dev tools, pasted it into the “value” property for the control, and kept on truckin’. Just nuts that had to be done though.
Lots of sites do it on the email fields for some reason. I’m far more likely to miss type my email address, twice, than my password manager is likely to somehow complete it wrong.