Pet Peeve 3: Password Restrictions

Passwords on websites are one of the worst things that the distributed internet has come up with. I have to have logins and passwords for hundreds of sites that I need to keep separate and ideally, different in order to be completely secure. I’ve decided to use a password locker for that purpose, which makes it much easier to remember all of them, because I only need to remember one very secure password.

One of the best features of using a password locker for passwords is that you can generate a new unique password for every site that you need to make a login for. My default setting makes every password something that I could probably not remember if I was doing it on my own: 30 characters, with a mix of upper, lower, numbers, symbols, and special characters.

Of course now we get to the point of this post. Almost every site out there has some type of restriction on the passwords that they allow. Usually I need to drop the number of characters, and sometimes I need to drop the sets of characters to something less secure. I don’t really have a big problem with that, although it’s completely stupid (in most cases, the underlying technology can support all of them).

The problem that I have is that they have these restrictions and then don’t tell you about them, until you’ve already completed the whole form, generated the password and submitted it. Then it comes with an error that says something like “password must be less than 12 characters” (which I’ve seen in variants as low as 8 maximum). Another variant is “you have entered an invalid character for this field”. That is not helpful. Which character was it? What ones are allowed?

The worst ones are the ones where there are multiple restrictions, but it only tells you about one at once. Three or four times I have to submit the form with more and more insecure passwords. It is not making me want to use your websites, and it’s just pissing me off.

Of course the solution to this dilemma would be to have some universal login for the entire internet, but that’s not going to happen any time soon. OpenID gave it a good shot, but it didn’t work very well overall. Facebook and Google are giving it a sporting chance, and Twitter is a close third, with a number of others who are trying to use OAuth to become a user silo. I’m not happy with any of these, but they’re better than having a login everywhere.