@chimo, "passwords must start with a letter" probably means "cleartext storage" + either "generating code + not sanitizing" or "using the wrong cmp operator". There have been many cases throughout computing history where "starts with a digit" meant "parses as numeric", for example.