"Password must be 6 to 8 characters, with no spaces, commas, hyphens or numbers"
Although they don't specifically say so, I discovered that underscores aren't allowed either.
Further experimentation revealed that the password isn't case-sensitive, so it's obviously not stored as a hash. The password I entered when I signed up had both upper and lower case characters, but I've been able to log in using the same combination, with all lower-case, all upper-case, and with the cases swapped.
I did a bit more poking around, and wrote a simple script to try 100 wrong passwords, then the correct one. I ran it from a server with a fast internet connection, and it took about 5 seconds to run, getting a successful login on the 101st try. It would appear, therefore, that they have no defence against brute-force attacks.
Luckily, their security page explains that I have nothing to worry about, because they use 128-bit encryption and:
"As a further commitment to security, our site was submitted for approval by Thawte, the acknowledged experts in web security. Thawte authenticated Confused.com as being secure and awarded us a universally recognised digital ID certificate."
As far as I can tell, all that really means is that they bought an SSL certificate from Thawte.