[Trundle]

Here's a fourth that was actually responsible for me starting to just use generated passwords for those as well. They told me my answer wasn't valid.

According to them, it's impossible for your mothers maiden name to have less than six characters :/

[lysp]

Funny story - I had an old short-length insecure password on a website that I hadn't used for years.

I decided to log in and change it to a randomly generated secure password. However, they had upgraded their off the shelf software some time over the last 4-5 years to a newer version.

The problem was, on their password change page the "new password" field had a minimum length of 8 characters, however the "OLD password" field also had that exact same requirement.

So I put in:

* Old: 12345

* New: 717&t!1XFCWJWk!q@ut3B

* Confirm: 717&t!1XFCWJWk!q@ut3B

And got an error "your password must be 8 characters or greater".

After swearing a few times, I breakpointed and edited the javascript validation to remove the length requirement and submitted the change again - this time got a server-side error saying the same thing.

I ended up beating it by logging out, clicking "I've forgot my password" and resetting it via email.

[bitL]

> edited the javascript validation

You probably broke law there O_O

[RugnirViking]

How can there be a law that prevents running abritary code on my own box?

[foobarchu]

I had a similar experience with a city bill pay website, except in this situation it was a new account and they simply didn't prevent me from setting the password to something long in the first place, so once my account was created I wasn't allowed in. And because you need to log in once to verify your email, I couldn't reset the damn thing either.

[mighty_atomic_c]

Oh no! My mother's maiden name is _invalid_!