I’ve seen a lot of stupid password rules in my day. Some of them indicate shoddy programming, for example, sites that require you to use symbols, but then exclude many of them (the phrase “SQL injection” pops into mind). Others reflect antiquated systems, for example, requiring that the first 8 characters contain all types of characters (upper, lower, number, symbol) but allowing longer passwords, or just overly limiting password length.
But today I ran into one which simply seems arbitrary and stupid. When signing up to look up my ancestors on ellisisland.org I was faced with this: “Password Must be 10 characters and begin and end with a number.” Indeed it required that the password be exactly 10 characters and didn’t seem to concern itself with what the other 8 characters were. I wonder how many people there have the password “1234567890”.
I’m not sure whether to laugh or cry. The rest of you should read this: http://xkcd.com/936/