Vio Bank Website

The password requirement is not even fully enumerated. Upon inspection of the source code, the following lines were found, hidden by javascript: "Must include at least %MINSPECIAL of the following characters:-.~!@#&_{}|:$%^*()=[];?/+"

The actual list of special characters that are prohibited is correctly enumerated there. It's a result of a misapplication of the variable allowedSpecialCharacters found here.

It took under 5 minutes to find the bug after looking at the source for the first time. This is a bank.

Vio Bank dumb password rule screenshot