I just created an account on myuhc.com today and found that the password restrictions are dangerously weak. They require a special character but in reality you are limited to only four of a possible 32 i.e. @ _ - # If that isn't enough, I discovered that the web form forces all lower case characters to upper case when you click the submit button. If a hacker gets the myuhc pw hash list, it should be very easy to run through hashcat with the pw rules: only upper case alpha, 0-9, @ _ - # I logged a complaint on the website but doubt they will care.
No... http://rumkin.com/tools/password/passchk.php Unless they limit length or you use a short password, that char set is far large enough to resist brute-force; then there are hash "salts" versus table attacks. Meanwhile, service calls/tickets over being locked out due to capslocks/ambiguous symbol chars go away.
