Stupid Password Requirements

Or lack thereof

Some recent experience has resulted in the creation of some accounts on certain SaaS HR recruiting platforms, namely Successfactors and Taleo.

As a long-time user of password manager solutions (presently Bitwarden), I don’t set my own passwords for any logins and usually take 32 characters from UPPER, lower, numeric and special character sets.

This should be the minimum used

Or I would if it was possible….!!


Successfactors from SAP will not accept a password of over 18 characters. Attempting to use a password longer than this results in the following verbose error message:

Password must be at least 8 characters long. Password must not be longer than 18 characters. Password must contain at least one upper case and one lower case letter. Password must contain at least one number or punctuation character. Password must not contain space or unicode characters.

It seems the special character, space, is particularly troublesome.


Taleo, an Oracle service, allows up to 32 characters but chokes on certain special characters.

Please note that the password must respect the following rules:

  • It must contain between 6 and 32 characters. Use only characters from the following set: ! # $ % & ( ) * + , – . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ \ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
  • It must contain at least 1 letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz).
  • It must contain at least 1 numeric character(s) (0123456789).
  • It must not contain more than 4 identical consecutive characters (AAA, iiii, $$$$$ …).
  • It must not contain your user name.

This is an extremely annoying combination for the password generator since I end up disabling special characters for the generated password.


Since Paypal can be used to make financial transactions on my behalf and using my credit card, it’s in my own interest to have a good, long, complex password.

I chose 64 characters from the 4 character types.

Paypal WTF….

Your password should be 8-20 characters long.

It seems my characters were OK but more than 20 characters were not.

Password salting and hashing

Storing passwords has to be done securely and the norm is to salt and hash the password and store the result. Given the hashing function used, the output length – no matter the length of the input – will be the same.

The password, when used, is salted and hashed before being compared to the stored value. It’s that simple.

Yes, it might be recommended to escape special characters before salting and hashing to avoid injection attacks – but the characters in the password and the length of the password should be less limited in modern computing implementations. Yes, it could be that a password field in a form has a limited length and be validated on this length – but it should never, ever be limited to 18, 20 or even 32 characters.

It’s time for these companies and others to modernise and update their password possibilities. For our sake, mostly!