How do you know when a website is improperly protecting your password and likely mismanaging your information? The more strict the password requirements, the less likely it is that they know what they're doing.
For instance, this Canadian financial company gives off strong vibes of negligence and incompetence by strictly reducing password size and specifying which characters are allowed.
This is a clear sign that whatever you're about to enter as your password will be stored in plaintext and you can forget about proper use of data encryption by this organization.
If you're already a client, why not ask them to prove that your password and other sensitive data are cryptologically hashed to protect your confidentiality? In the failing case, your next stop is the complaints department of the Privacy Commissioner of Canada.
Tell them Claudiu sent you.
Member discussion: