Not so much password requirements as just a completely removed implementation:

To access payment stubs in a data center (not us) that I worked at, the user account was our public email address and the password was a personal code, sorta like SSN, but that code could be easily looked up as it was public info.

I showed the director of HR, who authorized this her own payment stub as evidence that this was baaaaadddd

So she asked me to check that system for more issues

Turns out it stored passwords in blank (wtf) and would authenticate with two queries. First query would check if the username (email) exists. Second query would check if the password exists. If both exists, you’re in! So i could login to any account with MY password…

This is a tip of a very big iceberg there

By far the worst is the costa rican national bank:

• Must be between 8 and 16 characters long
• Must have at least 4 letters and 4 numbers
• Can’t have consecutively repeated characters (can’t do “aa” but can do “aba”)
• Can’t have vowels or Ñ
• Must not be one of your last 6 passwords
• Must be changed every 90 days
• Also forgot that their website and app try to block password managers and copy and paste