I've seen worse password purgatories in the wild. One was the Princeton undergrad acceptance (or should I say rejection) portal, which for some reason required registration even though I was entering a key from an email. It was something like:
1. marcopollo – Password must contain at least two numbers.
2. marcopollo11 – Password must not begin or end with a number.
3. m1arcopoll1o – Password must not contain two of the same number.
4. m1arcopoll2o – Password must contain at least one special character (! ? & % $ # @).
5. m1arcopoll2o! – Password must not end with a special character.
5. m1arcopoll2!o - Password must not contain 3 or more of the same letter.
6. m1arcopoll2p! - Password must not contain 2 of the same consecutive character.
7. I forget, but it kept going.
At some point, I gave up and started generating random passwords. The first 3 attempts were still not accepted. In a way, those restrictions were actually reducing the entropy.
1. marcopollo – Password must contain at least two numbers. 2. marcopollo11 – Password must not begin or end with a number. 3. m1arcopoll1o – Password must not contain two of the same number. 4. m1arcopoll2o – Password must contain at least one special character (! ? & % $ # @). 5. m1arcopoll2o! – Password must not end with a special character. 5. m1arcopoll2!o - Password must not contain 3 or more of the same letter. 6. m1arcopoll2p! - Password must not contain 2 of the same consecutive character. 7. I forget, but it kept going.
At some point, I gave up and started generating random passwords. The first 3 attempts were still not accepted. In a way, those restrictions were actually reducing the entropy.