On Password Restrictions
Websites should list their password restrictions on their login pages. Sometimes I run into the following problem:
I try to use a password generated by my “standard model” — ie, a standard prefix depending on the nature of the site and some salt determined by the website itself. However, some sites have stupid rules on their password requirements. In real life, I have encountered a wide variety of password requirements:
- A requirement of an exactly 6-character password
- A prohibition on “special characters” like any of !@#$%^&*()+=></?{}[]|\/.
- A requirement for a special character that happens to be one of !@#$%^&*()
- A requirement for numbers, uppercase, and lower case in the password
- A requirement for two sets of letters and numbers in the password — ie, fit the regex /([a-zA-Z]+[0-9]+){2}/
When my standard model password doesn’t fit into one of the more esoteric requirements, I have to modify it to fit. Fortunately, I find that on this subject at least, I tend to think the same way over time, so, given the standard model and a set of constraints, I will usually come up with the same password. However, it is uncommon for websites to list their password constraints on the log-in page. Therefore, I will usually try the standard model password first, and only when that fails twice (in case I mistyped the first time), and I’m down to one more try, do I realize that this website might be “special.”
Then I have to go to the trouble to find out what the password requirements are. This is not difficult — usually it involves clicking the “sign up button” and reading a little bit — but it does take some time and it is very annoying. Listing the password requirements at the login screen would make for a much better user experience (since it is so easy to find this information, not displaying it on the login screen can’t be interpreted as a security measure either).
Of course, the real solution is for websites to get rid of their inane password requirements, so I never have to deviate from the standard model.
March 14th, 2010 at 04:49:15 am
Listing the password requirements on the login page is insecure!
Or maybe it just clutters the page.
I’m all for letting people use whatever password they want, maybe limiting it to six characters to prevent the worst mistakes, and let people punish themselves. Though, having to provide support and protect against the fallout can be annoying. I guess I’ll just evaluate the situation when I actually design something for it.
March 15th, 2010 at 09:51:10 pm
> Listing the password requirements on the login page is insecure!
But I already said: “since it is so easy to find this information, not displaying it on the login screen can’t be interpreted as a security measure either”
March 15th, 2010 at 09:51:27 pm
Of course, you were probably being sarcastic.
March 17th, 2010 at 03:04:53 pm
I’m rational. If the password requirements are attainable in any fashion, making them more transparent will not make you less secure.
March 21st, 2010 at 09:31:36 am
I’ve been gravitating towards randomly generated passwords form most websites. I then let my password handler (Xmarks for firefox) remember the details. Of course, this doesn’t work for pages you ever access without a browser (eg steam, twitter, games).