[Reading time: 13 seconds]

I believe it is now 2024.

But for a moment yesterday, I felt like I had hopped in my DeLorean to travel back to 1994.

Because here is a password policy from that era that one financial institution’s online platform still forces upon its customers:

In case you can’t see this screenshot, it says your password must be:

  • *EXACTLY* 8 alphanumeric characters. [Not a minimum of 8. Exactly 8.]
  • Numbers and letters only. [Not even a space or a full stop is allowed].
  • The first character must be alphabetic.
  • At least one character must be a number.


So what?

A password of exactly 8 characters, consisting only of letters and numbers, hasn’t been regarded as a strong password since 1994.

Back in the days when you could have any font colour you liked on your computer screen, as long as it was green.


So what?

Enforcing this password standard on any system is poor.

Enforcing it on an online platform is… inspirational.

I say ‘inspirational’ because I hope this story inspires someone who works for this company to address the problem.