Dominion Energy Security Theater Failures

I recently had to go through the nine circles of hell to pay my utility bill online.  What kind of sadistic individuals work for the utility company and fear that countless numbers of hackers want to hack my energy bill?  Oh no, they hacked in and paid my bill for me!

Here is a short list of the unnecessarily difficult hoops I had to jump through as a returning customer who was made to re-validate my credentials to access my account and pay my bill.

• I was required to enter a new password.  After entering my first attempt at a new password, it was rejected because it did not follow the undisclosed password rules.  Oh wait, the password rules were available, just difficult to find.  They were shown as a popup box while typing the password and disappeared when you finished typing.  My bad.  To make it less confusing to the user, why not show the rules all the time or have a help icon that shows the rules when you click or hover over it?  Also, the password is rejected only after you submit the entire form, instead of telling you instantly if the password is OK by using client-side validation.
  
• Matching the stated password rules is not enough, there is extra undocumented validation.  In addition to the specific stated rules (use lowercase, uppercase, number, special character), Dominion also performs a library check to see if you have any "words" in your password string anywhere.  Long passphrases, a commonly password approach, is not permitted.  Also, don't try using Bite#Me3Dominon! as your password.  It passes the bulleted list of rules, but will be flagged by the dictionary checker.
• You have to enter your password twice, and you are not allowed to paste it from another window (like, say, from your bank site).  If you use a random  password generator, like the one in Bitwarden, you will still have to copy the password manually on the Dominion form.  And given the unnecessarily complex rules, it will be something difficult to type in like XN^t&j5m7e4M*q.  This is more of an exercise of your reading and typing skills than actual useful security.
•  The rule against copy and pasting in your credentials also applies to entering your bank account information for paying your bill.  You will need to type in your account number manually, and you will need to do it twice.  They have a second confirmation entry to make sure you didn't screw it up the first time.  And, get this, to add some more skills challenges, you can't see the account number while you are typing it in (twice).  It is hidden like a password entry.  There is a "show me" icon you can click on, but it only shows the account number field as long as you hold down your mouse click on "show me" icon.  As soon as you release the mouse click, the account number is hidden again.  No looking at the number while you are typing it in, and you can't compare what you typed in the first or second validation entry box.

It took me so long to fill out this form, I used extra energy and my payment was late, resulting in a late fee.  Maybe that was their strategy!