Password Requirements

Feb 26, 2008 8 comments

I know most of my audience is compromised of web developers so please pay attention:

Unless you’re building a financial application, please do not require me to have a password of more than 4 characters and/or some ridiculous combination of letters and numbers.

Why is the information that you’re storing on your site so valuable that you need to inconvenience me?

8 comments


gotsomeideas said about 7 hours later:

My college had this annoying policy where you had to change your email password every 6 weeks or something, and it had to be over 15 characters. If you ask me, that’s almost less safe, since it basically requires you to start writing down your password on a piece of paper just to remember what you changed it to.

Corey said about 7 hours later:

Amen Brother! I’ve been wondering why certain sites limit me to characters matching /\w+/ is there something evil about *’s an d (’s that I don’t know about, or are they just zealous validators.

Jakob Heuser said about 8 hours later:

I guess it depends on the value users place in their account. For example, if you’re 14, getting your Livejournal account hacked is probably earth-shattering terrible.

Noah Everett said about 10 hours later:

Agreed. I usually won’t sign up if I can’t use my normal password.

Dallas John Slieker said about 11 hours later:

I don’t agree. I think that creating a standard for security is a great idea in order to avoid really bad passwords in applications where it DOES matter.

Case in point: Sally Jones uses the password “OMGHAI” for her myspace, gmail, Facebook, and her YouTube account, etc…

Sally is quite used to this terrible password, and ends up using it for her banking account. A hacker brutes his way into Sally’s YouTube account, gathers enough info to get into her email, then clears out Sally at the bank the next day.

Yeah, maybe you wouldn’t do the same thing, and maybe you use proper passwords where it matters… but LOTS of myspace users don’t know shit from shineola when it comes to appropriate security because:

a.) They don’t know better b.) There is no defacto security standard.

So, I’m okay with being (kinda) annoyed with password restrictions so long as it promotes best security practices.

Of course, if you really want to complain, why don’t you blog about how some websites WON’T ALLOW YOU to use special characters in your password; that’s really stupid.

meekish said about 12 hours later:

PJ: “Unless you’re building a financial application…”

Dallas: ”...and ends up using it for her banking account…”

Dan said about 13 hours later:

I think the solution is to allow the end user to enter in whatever password they want, but to show some sort of “password strength” meter on the page. As the user types in their password, it could show how weak or strong the password is. The user is the person who knows how important the account is to them, and can determine how long/complex to make it on their own. You could even store the password strength so if it ever came to it, and the account was hacked, you could say “but you chose a weak password that was a ‘2’ on a scale of 1 to 10”.

Błażej said about 14 hours later:

I’m with you on that one PJ.

Sorry, comments have been closed for this post.