That password doesn't exceed 40 characters. I can see no logical reason for it to have failed.

I remember back in the days of reusing the same password for everything, one of the Linux password libraries would always tell me that my password, a random string of letters and numbers, was based on a dictionary word. I'm sure no dictionary word starts with "fn7".

Whilst it says "cannot exceed 40 chars" your password is 40 chars. I'd have deleted one character at a time till it accepted it.

As for it showing the 12 char password as secure vs your 40 one as not. I expect that is just poor UI and they're _really_ saying its invalid (outside of their requirements).

Tried removing just 1 character & it still failed.

Sweet spot seems to be 13-25 characters with a result of "stronger"

ANglEAUT:

 

Tried removing just 1 character & it still failed.

 

Sweet spot seems to be 13-25 characters with a result of "stronger"

 

🤷

My first guess would be it doesn’t like the ^ .... ; they’ve already said not to use <> and others so  I’m guessing their are a few other “special special” chars not acceptable

Why would they have a 40 char limit?  Are they not hashing the user password so they never store the users actual password?

I’d guess that one of the characters is acting as a delimiter and they’re ignoring everything before that character. It is probably the caret (^) which, although it is not a punctuation character, is often used as if it is punctuation.

P.S. I went back to look at the password and it would make sense that the caret is delimiting so your password fails because only 7 characters are evaluated.

I have seen a few recently that cause issues with (in my case Apple's) automatic password generation.

Apple might suggest 45G7-N321-B7F4 for example, which seems pretty secure for most uses.

The site however might insist on Special Characters as well, which Apple won't insert.

Sometimes I have also seen instances where suggested passwords from say One Password have the "wrong" special characters in because for some reason something like & has been disallowed.

ANglEAUT:

This server supports SQL injection! See if you can get in and have some fun! Hint: use doubled-up escaped chars, URI encoding, ...