Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…


My work was using some MS-based account system, but I don’t know if this was stock or something they modified. When you had to change your password, it would tell you if your new password didn’t meet the password requirements, as usual. What it wouldn’t tell you was what those requirements were…
So yeah, the requirements the system won’t tell you about would have to be the worst one i came across…