[bbrian]

I just signed up for the IRS website and their password requirements are:

> Password Rules:

> 1) At least 8 characters long.

> 2) Must contain at least one numeric and one special character (!@#$%&). (and asterisks, which is ruining formatting here)

> 3) At least one uppercase and at least one lowercase letter.

My standard password pattern* has a different special character in it, so now I'm locked out for 24 hours because I can't remember what substitution/alteration I made! It kills me when "password requirements" purportedly for security are more restrictive on one site than the majority of others. I also infer the sites are rarely updated.

*I'm implementing Dashlane at work. To date, having a unique password for every site/service has felt secure.

[zachberger]

I wish they would use login.gov which has sane requirements and allows code generator 2FA instead of SMS.

[zavi]

Many banks also have these arbitrary password limitations which make it less convenient and less secure at the same time.

[maimeowmeow]

I just keep a google docs with username/password/recovery question, with website abbreviation as header.

As long as my google 2fa isn't compromised, I think this is safe.