The entries at the dumb-password-rules hall of shame are truly dreadful, especially the banks. My favorite ones are sites whose security measures run in the user's browser, which means it can be overridden by opening the web inspector and editing the rules. Why yes, javascript, 敗' OR 1=1 -- is a fine username.
At Hacker News, turdnagel writes about one astonishing example of incompetence.
My favorite dumb password experience involves EZPass, a system for paying tolls without cash, in New York.
I signed up for EZPass using a relatively "long" password (20 chars). I then received a letter in the mail about a toll I had to pay, even though I'd had the EZPass at the the time. But, the letter said, I could pay the toll by logging in to their site and using my EZpass credentials. Didn't use OAuth but I figured it would be OK. I input my username and password using my password manager but it didn't work. Pretty strange, as I was able to log in to the "main" EZpass site using those same credentials. I tried logging in on the payment site again to no avail. Finally I realized that my password was being truncated by the password input field itself.
The solution was to inspect the page and change the maxlen attribute of the password field.
There are sites that block password managers! One site has you send three characters of your old password when picking a new one. American Express is apparently still on 8-character case-insentive alphanumeric passwords, which at this point suggests you might go to a public library to read about the security defects of its systems, in printed books written by people who have been dead for decades.
