I figured at some point after heartbleed (after sites had time to get themselves patched) I should change all my passwords for valuable services. I’m doing that now and I was shocked by a couple where it wouldn’t let me change my password because the new one was too complex :) The last time I was hit with an error like that was when I wanted a longer-than-4-digit-pin on my credit/debit cards.

sunlife.ca (probably the same on sunlife.com) helpfully says:

Your new password must: not contain any spaces, symbols or characters with accents.

And pcfinancial.ca:

You have entered an invalid password. Please re-enter your password, using only alpha-numeric characters.

Don’t get me wrong, I am not a fan of retarded password policies (e.g. must have two special characters, uppercase, numbers) but I feel it’s even more retarded to prevent people from using those characters if they want to.

What this tells me is – almost certainly these services store my password in plain text in some ancient IBM maniframe database column that is incapable if storing anything other than letters and digits. Shame on them!