[js2]

e.g. brother-usa.com and nytimes.com have password restrictions such as this. Further, nytimes.com doesn't allow a '+' in an email address.

[coherentpony]

And Schwab. The password restrictions on Schwab are a complete and utter disgrace to best practices in security.

[mazg3]

FWIW, they lifted some of the restrictions in Aug 2015:

http://www.schwab.com/public/schwab/client_home/password_for...

Between now allowing very long passwords, the free 2 factor token (hardware symantec vip, not SMS based), and being able to lock your accounts with a voice password/passphrase that you must give the rep to discuss your account on the phone (so then just SSN/mothers maiden name/birthdate isn't enough), I think they've pulled quite far ahead lately. It's better than any of the other banks I've used.

[Note: voice password is not their voice fingerprint sillyness their reps will think you are asking about at first]

[coherentpony]

Oh that's awesome, I didn't know they'd improved. Good on them!

[jdeibele]

Can't agree with this strongly enough.

At Schwab I'm using 31 characters randomly generated by LastPass for a login name but they limit things to 8 characters for a password.

Absolutely crazy. Even if they are not having problems, why should customers like us have to worry about it?

[adharmad]

Fidelity as well