125

Password Policy Hall of SHAME

THIS PAGE IS DEPRECATED

I no longer have time to keep updating this page. I could automate it, but I don't have time to do that either. So for now this page will remain frozen, and will probably contain incorrect information.

If you want to pick up the project, email me and I'll redirect this page to yours.

Storing passwords in PLAIN TEXT is NOT SAFE.
It's time to make online services clean up their act!

This is a user-submitted list of websites and services that enforce a password policy that is detrimental to password security. This includes password policies that exclude special characters or enforce a maximum length. As explained on the password restrictions page, these unreasonable password policies are signs that the passwords are being stored in plain text, not hashed with salt.

Cryptographic hash functions will take any input and produce a fixed-length cryptographic signature of the input. If the passwords are being hashed, there is no need for password restrictions, so we can assume any websites that impose these restrictions are storing passwords in plain text...until they prove otherwise.

Statistics

Of the top 59 account-based websites...
  • Over 50% limit passwords to 20 characters or less.
  • 24% don't allow passwords to contain symbols.

Of the top 100 websites as rated by Alexa, 59 allow users to create accounts that are unique to that site (e.g. ebay.com and ebay.de are counted as one). Of those 59 websites, 49 (83%) impose an upper bound on password length. Over 50% limit passwords to 20 characters or less. 14 (24%) restrict passwords to alpha-numeric characters only. It has been confirmed that at least two of the 59 sites store passwords in plain text.

Password Length Limit Alexa Top 100 Pie Chart Password Character Restrictions Alexa Top 100 Pie Chart

Download the raw data

100-Site Random Sample

Of a random 100-site sample of the Alexa top 1,000,000 list, 19 support accounts. Of those 19:

Keep in mind that this is not a true random sample, since the selection was made from the top 1,000,000 sites.

Confirmed Plaintext

NameInfoAlexa RankMinimum LengthMaximum LengthCharacters RestrictionsUsers
Direct Marketing AssociationSends plain text password in recovery email.     
Conduit.comPassword recovery sends the current password in plain text.59624These characters are not allowed: / : * ? < > |230,000,000
PornHubNSFW. Password recovery sends the current password in plain text.65 40Alphanumeric, dash, and underscore. Must not start with a number. 
YouPornOne of the largest porn sites.102420Only a-z, 0-9, and underscore. 
TravelocityPassword recovery sends password in plain text.1,254    
TescoThe largest supermarket chain in the UK.1,439    
Drugstore.comAn online drug store.3,722  Password reset sends the password in plain text. 
Sony PicturesAn attack on Sony Pictures revealed one million passwords stored in plain text.10,476   1,000,000
MCN Fantasy Road Race 2013 47,984    
tix.comPassword reset sends plain-text password.72,144  None. 
Jabber XMPP NodeA popular XMPP chat server. On their service policy page they state "Please note that currently your account password at the jabber.org IM service is stored as plaintext, not in hashed or encrypted form."99,635   600,000
NIC.ioDomain name registrar. Password recovery sends original password in plain text.123,320  None. 
FindTuition.comPassword recovery sends the current password to the user's email in plain text.269,803 16  
Dwyer InstrumentsPassword reset sends password in plaintext.328,024  None. 
Mechanic Net GroupAccounts are only available to customers. The password reset feature sends the current password to the user in plain text.431,951    
TransCanada Network ServicesA domain registrar. Password reset sends the original plain text password.2,638,291    

Unreasonable Restrictions: Probably Plaintext

NameInfoAlexa RankMinimum LengthMaximum LengthCharacters RestrictionsUsers
Virgin Atlantic  58Passwords are not case-sensitive. 
Baidu 6614None. 
Windows Live Mail (Hotmail) & Windows Live Messenger 8616None.355,000,000
QQQQ is a very popular Chinese instant messaging service.10616None.990,000,000
sina.com.cn 16616None. 
Yandex.ru 22620None. 
Ebay 23620None.147,000,000
163.com 27616None. 
PayPal 29820None.232,000,000
weibo.com 33616None. 
Mail.ru 34640None. 
Craigslist 35640None. 
Apple 36632None. 
fc2.com 37616None. 
IMDb 39464None. 
sohu.com 43616None. 
LiveJasminNSFW.47616Alpha-numeric only. 
youku.com 49616None. 
soso.com 50616None. 
CNN 54610No spaces. 
AOL 55616None.48,900,000
tudou.com 56412None. 
ifeng.com 57620No spaces. 
xhamster.comNSFW.58120None. 
MediaFire 60615None. 
Adobe 63612None. 
ameblo.jp 64612None. 
GoDaddy Hosting 66525None. 
alibaba.com 70620None. 
ESPN Sports 72625Alpha-numeric only. 
LiveJournal.com 76631None. 
CNET 79620Alpha-numeric, dashes, and underscores. 
LiveDoor.com 80812Alpha-numeric and - _ % $ # 
uol.com.br 8258Alpha-numeric. 
renren.com 83620None. 
chinaz.com 85314Alpha-numeric and Chinese. 
MySpace 88650None.250,000,000
The New York Times 90515Alpha-numeric, underscores, hyphens, and periods. 
cnzz.com 96620None. 
alipay.com 97620None. 
Wells Fargo BankA popular bank in the United States of America.182614None.70,000,000
JPMorgan Chase & Co. 185732Alpha-numeric only. 
Walmart 246 11None. 
AT&T 3576 No special characters except hyphens or underscores. 
TD Canada Trust 1,27058Alpha-numeric only. 
League of Legends 1,285 16None.300,000,000
National-Lottery.co.uk  1,379612None. 
NewgroundsA popular flash animation and game website.1,452610None. 
Fidelity.com 1,770 12Alpha-numeric only. 
Yahoo! 2,034 32None.273,100,000
Bank of Brazil 2,053 8Numbers only. 
Halifax Bank 3,121615No spaces, hyphens, or special characters. 
Deutsche Kreditbank AGA German bank.3,26055Alphanumeric. 
Aeria Games 3,695 15None.13,000,000
Virgin Atlantic 3,74758Passwords are not case-sensitive. 
three.co.ukA phone provider in the UK.4,194 12None. 
www.creditmutuel.fr 5,24268None. 
www.creditmutuel.fr 5,24268None. 
Vanguard.com 6,100 10None. 
L. L. Bean Credit Cards 7,073 12Alpha-numeric only. 
Berliner SparkasseA German bank.8,51255Alphanumeric. 
PlentyOfFish 16,621 13  
Symmantec (Norton AntiVirus) AccountA security and virus research company. Creator of the "Norton" antivirus products.24,625650None. 
Canada Post (ePost)Canada Posts' online billing service.26,629632None. 
Project Euler 52,226 32Username cannot contain more than 16 characters (passwords are limited to 32 characters) and they may only contain upper/lower case alphanumeric characters (A-Z, a-z, 0-9), dot (.), hyphen (-), and underscore (_). 
softonic.pl 65,477420None. 
queremoscomer.com 70,125610None. 
ProXPNA VPN provider.146,207612Only a-zA-Z0-9!@#$ are allowed. 
railcard.co.ukA rail card store in the UK.366,390 12None. 

How to Help

If you use one of these services, please write to them. Ask them to remove the password restrictions and ensure that they are hashing the passwords properly. Encouraging your friends to do the same, and sharing this page will help too. These are big companies; they won't change anything unless we work together to apply pressure.

Please submit websites! You can find my email address on the contact page. I am especially interested in the Alexa Top 500 Websites.

Please send me:

What's next?

Over the next few months, I'll be soliciting feedback from the organizations listed in the password policy hall of shame to get a better idea why these restrictions are in place. Once I have that information, I'll start an online campaign to promote the use of proper password hashing.

How do I get my company/website off the list?

To get your company or website's name off this list, you must remove the password restrictions in question or give us a good reason why you cannot remove them. You also have to clearly describe to us HOW your passwords are being stored in your database. We will work with you to verify the facts, and will remove you from the list promptly if you are in fact hashing your users' passwords. We will not comply with any kind of take-down order without first consulting a lawyer. Read this and this.