I recently changed a password at Citibank, and was greeted with this absurd guidance.
Where to start? A 6-character password is ridiculously insecure, so that’s not great. But the “must not” section is what amuses me. The first and second bullets are perfectly fine. The fourth one is very disturbing — how secure can a password really be if you eliminate 26 characters that I might otherwise use? More importantly, this implies that perhaps passwords aren’t being stored in a secure manner, in the first place — if they are properly hashing their passwords, it is impossible to tell if a password is an “almost” match, except for capitalization. You have to wonder how they are storing the passwords.
It’s the third rule that convinced me we are in never-never land. Your password must not “[h]ave any spaces before, in the middle of, or following any characters.” Leave aside that they already told me that my password must not “[c]ontain any spaces,” so this whole point is redundant. What in the world does it mean to say that I can’t have any spaces “in the middle of… any characters?” Bizarre.
This whole thing made me think of this truly excellent comic from xkcd and this post about it, complete with passphrase generator. Personally, I strongly recommend using KeePass and letting it generate and store ridiculously strong passwords for you.