[lochlainn]

Probably the weirdest password requirement I've seen was the one for my college's email: it had a maximum of 10 characters, and required it to contain no dictionary words or reverse dictionary words. I never figured out why they would have such strict requirements, and also force it to be so short.

[squeaky-clean]

My university required us to change passwords every semester, and the password couldn't contain a similar enough substring of any of your old passwords. (I think 4 characters was the threshold, it would also detect reversed substrings).

I didn't really know much about web dev or security at the time, but thinking back to it now, there is no safe way they could have done that.

[e12e]

Technically, they might have been able to take the new password, which would traditionally not have been hashed on the client side, and try and permute it to see if it hashed to the same value as the old hash. Granted, with current best-practices in stretching, it probably shouldn't have been feasible to do even that -- but for salt+sha1 it might have worked.

They probably didn't though.

[krotton]

Actually my university requires exactly six characters for library passwords. They may only be changed by the library personnel and you must either write them down on a piece of paper for them to type or just spell it out loud...

[daveguy]

Probably a legacy plain-text database field... if it makes you feel any better. :/