David's Computer Stuff Journal

The worst part of many of these forms is that they don't tell you about the restrictions until you've broken them. I use a password vault for all of my passwords, so I try to use different, secure passwords, ideally generated by the random generator available through it. So I see a password field, and I set it up with the default - 128 characters, everything (symbols, numbers, capital and lowercase letters, spaces). Nine times out of ten I get an error saying my password is too long. About half of the time I get an error saying I used invalid characters, and then sometimes, it'll tell me what the passwords need to be. Put this on the form to begin with, people.

A lot of sites like to combine these with length limits. Like Jamuraa, I generate a lot of passwords automatically, and if I'm not going to be memorizing it, a 32-character password is as good as an 8 character one. A lot of Web sites enforce arbitrary limits on how long the password can be, though. And when your password is too long, some sites will just tell you that it's too long instead of saying how many characters they'll accept. Why yes, thank you, I wanted to play a guessing game today ... NOT.

The worst behavior I've experienced with passwords was a Web site that refused non-alphanumeric characters, but only for logging in! So you could create a password containing "special" characters just fine ... but if you did, you could never log in again. Ever. And the error message it generated when you tried to log in was the same as if you had mistyped your password.

I hear you, its really annoying! I'm astounded by how so many banks and financial institutions get away with these practices, when these are precisely the places where I absolutely want to have the strongest passwords! I've captured some of these here: http://floatingsun.net/2007/12/02/screens-around-the-web-password-restrictions