Scott Hanselman

Password should not contain any special characters, symbols or spaces

July 04, 2007 Comment on this post [27] Posted in Musings
Sponsored By

secure

When signing up for an Mvelopes Personal trial, I selected my traditional unique super secure crazy password special for this site and was told "Please enter a valid Password (Password should not contain any special characters, symbols or spaces)."

Patrick was standing with me while I tried to sign up. After we picked our jaws up off the ground he said:

"Seriously, how about a dialog box that says 'Please ensure your password is all lowercase and only contains words from the dictionary.'"

Folks, please, use strong passwords. For me, I'm going to pass on financial institutions that encourage passwords like "password" to protect my money.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook bluesky subscribe
About   Newsletter
Hosting By
Hosted on Linux using .NET in an Azure App Service
July 04, 2007 2:10
But that site has the VeriSign 'Secure Site' seal, what could possibly go wrong?
(they should really check for such stupidity before handing out that seal)
Tim
July 04, 2007 2:16
Agreed. It annoys me to no end when I have to create "dumbed down" versions of my passwords to work with sites that should be very secure. Wachovia (my bank) is like this--to access your account online, you must have a less than strong password. Good job guys.
July 04, 2007 2:42
Wow, that's um, really embarrassing--both for them and for me, since I never ran into that limitation with them. :\
I'll be emailing their support department.
July 04, 2007 2:58
Wait what about the sites that make the Passwords 6 or less characters? I can't even use password for my password :(
You know some one thought they were protecting themselves from SQL injection attacks.
July 04, 2007 3:03
Here! Here! Shouldn't it be as difficult as possible? And the are probably storing hte password (instead of storing a hash). Idiots.
July 04, 2007 3:52
I once has a problem with the Verizon website. They made me create a strong password with special chars, numbers and upper and lower case. I made up a password that happened to start with a special character.

When I tried to log back into the same site I was prompted for my password. I typed in the password that I created on the very same site. When I submitted the form I got an error that said "passwords can not start with special characters". I was screwed. I was unable to log in. Emails to tech support when unanswered. Bills to me from them went unpaid until the problem was fixed. I think it took a month - they reset my password and I had to create a new one. No special character in the first byte this time.

July 04, 2007 5:19
So you think my idea to allow users to select a password from a dropdownlist wouldn't be a good idea? I will make sure to encrypt the password when I save it to the database. I have a really good encryption routine I created when I first learned to program. Besides I almost always purge all credit card data after the card expiration date.
July 04, 2007 6:50
This is exactly why I left Chase and moved all my money to a local bank. The local bank requires not only a user name and strong password, but they also use two-factor. I have an 8x5 grid (A-H and 1-5) and each cell contains a single number. When I login, they ask for three of them randomly. One login they ask me for A4, H2 and C3, the next maybe A5, B5 and F1.

It's absurd that a local S&L is more concerned than a big company like Chase.
July 04, 2007 6:52
My gmail password had a space in it and I was unable to sign in to with gmail mobile (the java version). the prompt literally said "Your password cannot contain any spaces."

WTF?


We're sorry your having trouble picking a password. May we suggest one of the more popular ones, like 'secret', 'god', 'sex', or 'power' ?
July 04, 2007 8:02
Wow. I just ran into the same thing tonight when registering for Freebase, which is arguably a geek venture at this point. Only letters and numbers.
July 04, 2007 10:59
True story...

Years ago when I first signed up for online banking (7 years maybe? maybe more?) with Bank of America, they had the following guidelines in place:

Your sign in name had to be your social security number.
Your password could be 8 characters max.
Your password could not contain special characters (letters and numbers only).

Security wasn't such a big deal back then, obviously. Of course things are much, much different now.
July 04, 2007 12:24
Google Apps thinks fnorman is a STRONG password if my name was Fredrik Norman and username was fredrik@domain.com? At least it allows me to write very simple password which is nice for family, but calling that a strong password is ridiculous.
July 04, 2007 12:41
"special characters" can give users lots of proplems when the try to use another PC, as the keys are not always in the same place. Also offen the keys do not produce the character that is on the key as the PC is setup badly.

(Try using a £ (uk pound) in a password and see what happens if you need to log in from a PC in the USA that you do not have control over.)
July 04, 2007 13:09
I selected my traditional unique super secure crazy password special

And how do you manage to remember all those hard-to-guess über-passwords?
July 04, 2007 19:54
Indeed. I've run across sites with similar restrictions PLUS it had to be 8 characters or less. There's a few handy sites to tell you how strong a password is in terms of bits of Entropy (for example http://rumkin.com/tools/password/passchk.php) 8 characters without special characters, symbols or spaces is about 25.1 Entropy bits, where the "standard" acceptable minimum is 128.
July 05, 2007 11:09
Passwords are inherently insecure ... but Passphrases work so much better!
July 05, 2007 17:08
One of my credit cards was that way. I went from a obscure (but not secure) password to the super-D-duper secure password.

And it told me that I had too many characters, and that I couldn't use special characters.

*sigh*
July 05, 2007 17:45
The worst I've seen lately is a restriction on special characters and spaces, plus a mandate that passwords must be between 6 and 8 characters long. Congratulations on narrowing the key space there, guys. Someone really earned their paycheck that month.
As far as a super-secret, super-unique password that's easy to remember, I'd venture that Password Safe (or something like it) can help in that regard.
July 05, 2007 17:56
That is amazing. I never use a password without symbols if I can avoid it, and I am quite happy my banks let me use symbols in my passwords. It would be amazing if you removed the symbols and got a new message that said "Your password must be between 4 and 8 characters in length." Nothing like a short alphanumeric password to make you feel safe.

If any financial institution gave me a message like that it might be a deal breaker for me since I don't want my account stolen.
July 05, 2007 20:07
I have seen banks that have a maximum password length of 8 characters, as well. Ridiculous.
July 05, 2007 20:22
At least if they ask you for a password of some type, the script kiddies have to work at least a little bit to steal your identity and hard earned cash.

Of greater concern in my mind are those sites (and we don't know who they are) that don't even bother hashing or encrypting your passwords at all. I've seen this multiple times. I asked one guilty party about this and he told me that, "the database has a strong password." (Naturally, this strong password is stored as plain text in a configuration file). It should make you think twice about ever using the same password with multiple providers.

Another one of my pet peeves is when you've typed in your super-secret password and then the site emails it back to you unencrypted.
July 05, 2007 23:33
It drives me absolutely crazy how many sites have dumb-downed passwords. One of few things that incenses me more is error handling for passwords from the sign on screen or other credential validating screen. Having different error messages depending on what is incorrectly entered might as well tell the illegitimate user the makeup of the password.

Password security would be a great topic for a hanselminutes show.

-Phillip
July 06, 2007 5:36
If they email you an unencrypted password how do you think they may be storing said password?
July 06, 2007 8:09
I had a similar experience when I setup my account at the University Of Chicago, where I am currently getting my masters in CS.

I typed in my typical long, mixed, and complex password to have it rejected.

"Passwords must be 8 characters".

You read that right. Not LESS than 8 characters, but exactly 8 characters.

This password controls my entire life at U of C. Email, grades, registration, library check outs, logging into the wireless network, updating my immunization, opting out of their health insurance.

Anyone hoping to crack a password is saved a ton of time by knowing exactly how long the password is.

Stupid.
July 06, 2007 20:31
I just got this on a site: "Either the password is too short or password uniqueness restrictions have not been met." But, it fails to detail what the uniqueness restrictions are and how long the password must be...
July 06, 2007 23:07
A good one is Western Union. Western Union is a service for sending money anywhere in the world. A password can only be 8 characters and not contain symbols. Good grief...
July 09, 2007 0:59
my password is "incorrect". If i can't remember, the dialogbox tell me : "your password is incorrect"
:)

Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.