I just canceled my contract with EDF (the major electricity provider in France), their website is incredibly... Waouh.
I started with a password reset. You can simply reset it using a "security question". You know, a question that looks like "where are you born ?". Yes. I can cancel electricity to anyone by knowing its email adress and its bornplace.
Then, I get a password reset link by email. But there were two links: "reset password using a computer or a tablet" and "reset password using a smartphone". I guess they never heard about responsive design.
After that, I had to reset my password. I tried QBDojuq06RSAB0aibAZy. But it was just a "correct password". Because, for "security reason", I must add a special character. Yes, they are talking about security but I can steal the account of anyone I want, and I can't have a password longer than 20 chars.
I make a small aside, but... Why some website restrict password length? Ok, forbid small passwords can be cool to avoid bruteforce, but what about long passwords ? Anyway, it is hashed so it has a fixed size in database. So the only difference between a 20 chars password and a 128 chars password is that the 128 one is more secure.
This form was also awful. It violates about 4 rules explained here (clearnet link), even if it contains only 2 inputs.
So, when I finally get into my account, I clicked the relocation link and then I... had to signin again.
Well, it's impressive to see how an enterprise that have a great impact on the life of its customers can do such mistakes