It may simply be coincidence, but this past week I noticed three sites on which I was creating accounts set an arbitrary limit on the password length.
One of those sites was the new HealthCare.gov (which has a few other problems; see below).
I simply cannot deduce any reason you would limit the number of characters in a password. The worst offender forced me to no more than 8 characters!

Please enlighten me or correct me if I am mistaken about this.


The US Government's new HealthCare.gov site does a few other peculiar things. I believe they are ridiculous and demonstrate a lack of understanding about how the web works.
  • The username must contain this small set of non alpha-numeric characters
  • The password must not contain an arbitrary set of characters; which includes underscore, even though it is not listed


I wanted to use a password that included an underscore and it was (as you can see) rejected.
I understand the desire to prevent 'SQL Injection', but to exclude underscore is simply stupid.

Furthermore, I like to use my Gmail account and the 'filtering' feature it provides. But the plus (+) is rejected when used as part of the email/username on many sites because they are using a RegExp validation copied from StackExchange (I suspect).

ridiculous_login.png