Scary Password Limitations

When changing my password for the online portal, I am presented with this message:


Must contain one upper case, one lower case and either a special character or number. Must not contain any of the following characters: ~ ; < > " & [ ] { } ( ) space and the word script or userid.


In modern security practice, this is an abomination. A user should be able to use any characters that he or she desires. Beyond that, not allowing the words "script" or "userid" honestly makes it sound like you don't take security seriously. Any modern user authentication system would not have either of these limitations. Are your user authentication and password storage systems up-to-date?




The National Institute for Standards and Technology, a U.S. Government entity, publishes recomendations for password composition. You can find their recomendation, as of June 2017, here:


I'd suggest that you work towards implementing the above guidelines.


I agree with OP that this is like saying your web pages are either not safe for XSS or will at some point display the entered password back to the user or others in plaintext. So, is BECU using modern security procedures and programming practices? Seems to me like we can't be sure.