This is a rant about dumb password policies enforced by some websites or apps. If you see these password rules forced to you, try to stay away if possible.
Can’t use special characters, or use a pre-defined special characters only
Are you storing the password in plaintext that your database will break when have special characters?
Password can’t be longer than X characters
Most probably storing the password in plaintext and their database column is limited to those characters limit.
Password expire every X months, without notice, suddenly can’t login. Reset it and can’t use the last 5 passwords
They store your previous passwords, either encrypted or plaintext.
“Cannot use a sequence of characters used in any previous password,” or “Cannot use a previous password backwards.” Those are sure fire indicators that they’re storing your passwords in plain text.
I used to have a bank that had the first rule. Emphasis: Used to.
And putting an upperbound length limit on passwords is pants-on-head loony, unless the length limit is very large, like 1024 characters or something. Especially if it’s going to be hashed anyway.
Some password hashing functions have a maximum input length. That could be a reason for some of the requirements. E.g. if I remember correctly, bcrypt used a maximum of 60 characters, while still being an ok choice for a hashing function
Well, sure. But in that case it should be the max length of whatever the hash method is. The full 60 characters, and not something dumb like 12.
My bank has a rule that your password needs to be exactly 5 characters. It’s completely nonsensical. Thankfully, a few years ago they at least implemented two factor authentication so there’s some safety. Otherwise I would probably change to a different bank.