Blog | Admin | Archives

On Password Restrictions

Websites should list their password restrictions on their login pages. Sometimes I run into the following problem:

I try to use a password generated by my “standard model” — ie, a standard prefix depending on the nature of the site and some salt determined by the website itself. However, some sites have stupid rules on their password requirements. In real life, I have encountered a wide variety of password requirements:

  • A requirement of an exactly 6-character password
  • A prohibition on “special characters” like any of !@#$%^&*()+=></?{}[]|\/.
  • A requirement for a special character that happens to be one of !@#$%^&*()
  • A requirement for numbers, uppercase, and lower case in the password
  • A requirement for two sets of letters and numbers in the password — ie, fit the regex /([a-zA-Z]+[0-9]+){2}/

When my standard model password doesn’t fit into one of the more esoteric requirements, I have to modify it to fit. Fortunately, I find that on this subject at least, I tend to think the same way over time, so, given the standard model and a set of constraints, I will usually come up with the same password. However, it is uncommon for websites to list their password constraints on the log-in page. Therefore, I will usually try the standard model password first, and only when that fails twice (in case I mistyped the first time), and I’m down to one more try, do I realize that this website might be “special.”

Then I have to go to the trouble to find out what the password requirements are. This is not difficult — usually it involves clicking the “sign up button” and reading a little bit — but it does take some time and it is very annoying. Listing the password requirements at the login screen would make for a much better user experience (since it is so easy to find this information, not displaying it on the login screen can’t be interpreted as a security measure either).

Of course, the real solution is for websites to get rid of their inane password requirements, so I never have to deviate from the standard model.

5 Responses to “On Password Restrictions”

  1. Stickman Says:

    Listing the password requirements on the login page is insecure!

    Or maybe it just clutters the page.

    I’m all for letting people use whatever password they want, maybe limiting it to six characters to prevent the worst mistakes, and let people punish themselves. Though, having to provide support and protect against the fallout can be annoying. I guess I’ll just evaluate the situation when I actually design something for it.

  2. Ryan McElroy Says:

    > Listing the password requirements on the login page is insecure!

    But I already said: “since it is so easy to find this information, not displaying it on the login screen can’t be interpreted as a security measure either”

  3. Ryan McElroy Says:

    Of course, you were probably being sarcastic.

  4. Stickman Says:

    I’m rational. If the password requirements are attainable in any fashion, making them more transparent will not make you less secure.

  5. Spencer Says:

    I’ve been gravitating towards randomly generated passwords form most websites. I then let my password handler (Xmarks for firefox) remember the details. Of course, this doesn’t work for pages you ever access without a browser (eg steam, twitter, games).

Leave a Reply