Can somebody solve this puzzle?

It's fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.

Their desktop site is even more shitty. It won't allow right click or paste actions. There goes compatibility with password managers.
- Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.
- As a super secret dev hack may I introduce you to shift + insert a fair few sites specifically block ctrl + v instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to block shift + insert... well... h8u
- Any password manager should be able to "type in" the password. Or be a browser plugin that doesn't rely on copy pasting, but use other mechanisms to inject it directly into the field.
  But yes, if that's their online portal, I am not kidding I would change banks.
My bank's password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.
- a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32
  Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security
Visa has a hard limit of 8 and requires the first 4 to be numbers because the phone tree might require it as a password
The whole banking industry is ridiculous and is ridiculously legislated
- USAA has 8-12 ONLY. My smallest memorized password algorithm is 13 characters, that I typically use for throwaways, doesn't even fit.
The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.
Maybe when I leave I try an SQL injection.
- Bobby tables, noooooooo!
I had to create an account on a government website. The website didn't list a character limit so I used a password manager to generate a 32 character password. My account was created but I couldn't log in. I used the "forgot my password" option and I received an email of my password in plain text. I also noticed why I couldn't log in. The password was truncated to just 20 characters. Brilliant website! Tax dollars at work!
Some internet banking sites give access after only asking for login password. They will only ask for transaction password and OTP (that will only come on phone) later on. Asking for two passwords isn't necessarily more secure since many people will just reuse their original one again. And OTP instead of offering something like hardware security key is insane.
- My bank uses 6 digit 'customer number' (which is set by the bank) and that's verified with an app and a personal PIN (app shows 'login attempt ABCD at mm.dd. hh:mm' where ABCD is shown on login page too) or via SMS OTP (again with 'ABCD' verification). And again with personal pin + app or OTP to confirm transactions. The app itself can be protected with a fingerprint or phone pin and every new installation needs to be registered to the system, so I can't just use my phone app to access my wifes account (or anyone elses) but I still can map multiple accounts (like corporate ones) to the same installation.
  I think that's pretty reasonable approach.
- Reason why I took a hardware tan generator versus using the OTP function of one of their other apps.
  Thanks but no, I will use the old crusty method as I know how easy that's hacked.
They can't even properly check their copy on critical infrastructure. Top notch work over there, top to bottom.
It is insane that any internet banking portal still uses a static password.
- wdym? What's a dynamic password?
- At least it should not, in many countries must not, be the only measure.
  I once encountered an OR in the requirements: Capital letters, small letters and digits OR special characters.
seriously, I've never seen a bank with password login to begin with. Every bank i know of uses physical devices that you type a code into
- Never heard of this. Where is this at? :o

It says one special character, not at least one. Maybe the password has more than one.

Holy shit!! You did it. I would never expect a banking password to max special characters. I have been scratching my head with Bitwarden and this shitty app for an hour.
- But wouldn't that mean the bottom checkbox should be cleared and the 2nd one should be checked?
  Still doesn't make sense.
- Yeah but It still states "A combination of letters, digits and special charaters"
  It should then be spelled as "A combination of letters digits, and one special character"
- It's like a Captcha that only lets in autistic people.
You solved the puzzle! here is a cookie for you :D 🍪
- Yay!
Good catch.
Also psh, there’s no verb, suggesting the password should be exactly one special character and nothing else.
I love how the acceptance/rejection status is messed up.
If it's only one special character, then that should be unchecked not check, and the combination of "letters, numbers and special characters" should be check marked.

That programmer has obviously been playing https://neal.fun/password-game/

- problem is the late stages of the game the password requirements change when your password's emojis start catching fire.
I can never get past the geoguesser part
- Last time I got pretty deep in, but it became impossible when the chess notation rule required Cs and Ds, making it impossible to stay below the roman numberal sum limit.
- I got past it because it happened to throw a place from my country. And there was also a flagpole with a flag on it to really drive it home. XD
- I used Google lens. Got stuck afterwards on a chess rule. The captcha rule used the notation for the chess one to complicate it further haha

It says “one special character”. Not “at least one”.

oh. oh god. what the fuck.

No Homers.

If >1 special character is not allowed the last check should be failed . The second check is literally satisfied even if there are 2+ specials.

I'd not be using that bank.

Now imagine how many services just silently cut off your password at 8 characters and people never notice.

UltraVNC is very guilty of this.

Wells Fargo cuts to 14 on their sign in page but not on their change password page, ask me how I know
Once upon a time, battle.net passwords weren't case sensitive. I used upper and lower case letters in my password then one day realized I didn't hit shift for one of the caps as I hit enter out of habit, but then it still let me in instead of asking for the password again.
It was disappointing because it takes more work to remove case-sensitivity than to leave it. I can't think of any good reason to remove it. At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient. Better to use the size of a hash and not store the password in plaintext, so it's not a good reason, but at least it's a reason.
- At least the character limit had a technical reason behind it: having a set size for fields means your database can be more efficient.
  If that is the actual technical reason behind it, that is a huge red flag. When you hash a password, the hash is a fixed size. The size of the original password does not matter, because it should not be stored anyway.

the password game irl

This broke me. 🤣

Your Internet Banking Password should one special character (~!@#%^&*)

Great grammar on their part.

Yeah, they noticed their mistake too late, hence the expletive.
atleast a 5/10 in effort

Maybe you accidentally did a permutation instead of a combination.

This was a new one for me:

Translation: Password strength: weak. Please don't use any special characters.

It was a generated 14 char password.. (╯°□°）╯︵ ┻━┻)

My guess is they mean, one capital letter, one lower case letter, a number, and a special character

what's always amused me about these rules is that they exist because people are dumb. Technically, they lower the difficulty of the passwords slightly. ( for example, knowning that one character is a number reduces it to 10 options in stead of 10+26+26+whatever set of special characters)

anyhow. people should use password managers. just saying.

Noone should of aloud this code to go out the door. Atleast alot of other people people probably complained aswell, so your apart of a bigger group, incase you were worried.

When commas and semicolons aren't allowed special characters

I used to use a system that was perfectly happy to let you use a semicolon when setting the password, but then login would fail if you did.
When you enter an apostrophe, and the site returns a 500 response stating you are trying to attack it. (And yeah, it's always 500, not 400.)

Please tell me someone didn't buy software with 'atleast' spelled like that in there. Please, tell me someone tested the web app and had the brains God gave a douglas fir and knew that wasn't a word; that it was never a word; that the writer's spell check should have picked that up; that it's not been over-ruled by stupid so much that it just takes it.

Well now. When we've been enforcing password requirements at work, we've had to enforce a bizarre combination of "you must have a certain level of complexity", but also, "you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you". Which just strikes me as a way to piss off our users, but security team say it's a requirement, therefore, it's a requirement, no arguing.

"One" special character is crazy; I'd have guessed that was a catch-all for the other strange password requirements:

can't have the same character more than twice in a row
can't be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
all whitespace must be condensed into a single character before checking against the other rules

We've had customers' own security teams asking us if we can enforce "no right click" / "no autocomplete" to stop their users in-house doing such things; I've been trying to push back on that as a security misfeature, but you can't question the cult thinking.

- "Password managers are insecure because then all your passwords are just under one password" - Some higher up
Why do they think no copy paste is safer?
- Because if you disable browser autocomplete, what's obviously going to happen is that everyone will have a text file open with every single one of their passwords in so that they can copy-paste them in. So prevent that. But what happens if you prevent that is that everyone will choose terrible, weak passwords instead. Something like September2025! probably meets the 'complexity' requirement...

If you have to try really hard to meet their password requirements, that’s how you know it’s super secure.

You are using a special character that is likely reserved internally

“Atleast”?

it's British. they also do "aswell"
- No we don’t.

The USCIS site makes it clear that your CAN use emojis in your password.

ETA: but not required.

Since when is "atleast" a word?