PassFail.wtf
← All posts
researchfortune-100password-policy

We Graded the Password Policies of the Fortune 100 — The Results Are Embarrassing

We systematically tested and graded the password and authentication policies of America's largest consumer-facing companies. What we found should concern you.

PassFail Team·March 31, 2026·12 min read

The State of Password Security at America's Biggest Companies

We graded the password policies of the Fortune 100. Not theoretically. We created real accounts, tested real login flows, and documented exactly what each company does — or doesn't do — to protect your credentials.

The results are embarrassing.

Key Findings

The average grade is a D. Across the Fortune 100 consumer-facing companies we tested, the average score sits below 70 points out of 110. That's a D. America's largest and most profitable companies — with some of the largest security budgets on earth — are collectively failing to implement password policies that NIST published guidance on back in 2017.

Banks are among the worst offenders. The institutions we trust with our money routinely impose maximum password lengths of 12–16 characters. Some still block special characters. A few still force quarterly password rotations — a practice NIST explicitly deprecated nearly a decade ago.

Paste blocking is rampant. Blocking paste in password fields makes it harder to use a password manager, which makes people use weaker passwords. We found this anti-pattern at financial institutions, healthcare providers, and government portals. There is no security benefit. It is security theater that makes you less safe.

Silent truncation still happens. In 2026. Companies silently truncate your password on registration but not on login, making it impossible to sign in with the password you just created. This is the bug that spawned PassFail.wtf. It's still out there.

Methodology

We followed our published grading rubric, scoring each company across 10 categories for up to 110 points. We required screenshots with URL bars visible, noted test dates, and applied consistent scoring. Where we couldn't test (e.g., account creation required an existing relationship), we excluded the company.

Full methodology: How We Grade — The PassFail Methodology

What Good Looks Like

The companies that scored well shared common traits:

  • No arbitrary maximum password length (or a high one like 128 characters)
  • TOTP-based MFA available and easy to find
  • No forced complexity rules
  • Paste allowed in all password fields
  • Breach monitoring mentioned in security documentation

It's not complicated. It's not expensive. It's just following guidance that's been public for years.

The Pressure Has to Come From Somewhere

We can't rely on companies to self-correct. The people making these decisions often don't use password managers. They don't feel the friction of bad policies. The only way things change is when the public knows, when the embarrassment is documented, and when there's somewhere to look before you trust a company with your account.

That's what PassFail.wtf is.

Browse the grades →

Get new research in your inbox

Think a company should be graded? Submit it and earn karma.

Submit a siteMore posts

Stay ahead of policy changes

New audits, policy changes, and security research — no spam.