Scott Hanselman

But that site has the VeriSign 'Secure Site' seal, what could possibly go wrong?
(they should really check for such stupidity before handing out that seal)

Agreed. It annoys me to no end when I have to create "dumbed down" versions of my passwords to work with sites that should be very secure. Wachovia (my bank) is like this--to access your account online, you must have a less than strong password. Good job guys.

Wow, that's um, really embarrassing--both for them and for me, since I never ran into that limitation with them. :\
I'll be emailing their support department.

Wait what about the sites that make the Passwords 6 or less characters? I can't even use password for my password :(
You know some one thought they were protecting themselves from SQL injection attacks.

Here! Here! Shouldn't it be as difficult as possible? And the are probably storing hte password (instead of storing a hash). Idiots.

I once has a problem with the Verizon website. They made me create a strong password with special chars, numbers and upper and lower case. I made up a password that happened to start with a special character.

When I tried to log back into the same site I was prompted for my password. I typed in the password that I created on the very same site. When I submitted the form I got an error that said "passwords can not start with special characters". I was screwed. I was unable to log in. Emails to tech support when unanswered. Bills to me from them went unpaid until the problem was fixed. I think it took a month - they reset my password and I had to create a new one. No special character in the first byte this time.

So you think my idea to allow users to select a password from a dropdownlist wouldn't be a good idea? I will make sure to encrypt the password when I save it to the database. I have a really good encryption routine I created when I first learned to program. Besides I almost always purge all credit card data after the card expiration date.

This is exactly why I left Chase and moved all my money to a local bank. The local bank requires not only a user name and strong password, but they also use two-factor. I have an 8x5 grid (A-H and 1-5) and each cell contains a single number. When I login, they ask for three of them randomly. One login they ask me for A4, H2 and C3, the next maybe A5, B5 and F1.

It's absurd that a local S&L is more concerned than a big company like Chase.

My gmail password had a space in it and I was unable to sign in to with gmail mobile (the java version). the prompt literally said "Your password cannot contain any spaces."

WTF?

We're sorry your having trouble picking a password. May we suggest one of the more popular ones, like 'secret', 'god', 'sex', or 'power' ?

Wow. I just ran into the same thing tonight when registering for Freebase, which is arguably a geek venture at this point. Only letters and numbers.

True story...

Years ago when I first signed up for online banking (7 years maybe? maybe more?) with Bank of America, they had the following guidelines in place:

Your sign in name had to be your social security number.
Your password could be 8 characters max.
Your password could not contain special characters (letters and numbers only).

Security wasn't such a big deal back then, obviously. Of course things are much, much different now.

Google Apps thinks fnorman is a STRONG password if my name was Fredrik Norman and username was fredrik@domain.com? At least it allows me to write very simple password which is nice for family, but calling that a strong password is ridiculous.

"special characters" can give users lots of proplems when the try to use another PC, as the keys are not always in the same place. Also offen the keys do not produce the character that is on the key as the PC is setup badly.

(Try using a £ (uk pound) in a password and see what happens if you need to log in from a PC in the USA that you do not have control over.)

I selected my traditional unique super secure crazy password special

And how do you manage to remember all those hard-to-guess über-passwords?

Indeed. I've run across sites with similar restrictions PLUS it had to be 8 characters or less. There's a few handy sites to tell you how strong a password is in terms of bits of Entropy (for example http://rumkin.com/tools/password/passchk.php) 8 characters without special characters, symbols or spaces is about 25.1 Entropy bits, where the "standard" acceptable minimum is 128.

Passwords are inherently insecure ... but Passphrases work so much better!

One of my credit cards was that way. I went from a obscure (but not secure) password to the super-D-duper secure password.

And it told me that I had too many characters, and that I couldn't use special characters.

*sigh*

The worst I've seen lately is a restriction on special characters and spaces, plus a mandate that passwords must be between 6 and 8 characters long. Congratulations on narrowing the key space there, guys. Someone really earned their paycheck that month.
As far as a super-secret, super-unique password that's easy to remember, I'd venture that Password Safe (or something like it) can help in that regard.

That is amazing. I never use a password without symbols if I can avoid it, and I am quite happy my banks let me use symbols in my passwords. It would be amazing if you removed the symbols and got a new message that said "Your password must be between 4 and 8 characters in length." Nothing like a short alphanumeric password to make you feel safe.

If any financial institution gave me a message like that it might be a deal breaker for me since I don't want my account stolen.

I have seen banks that have a maximum password length of 8 characters, as well. Ridiculous.

At least if they ask you for a password of some type, the script kiddies have to work at least a little bit to steal your identity and hard earned cash.

Of greater concern in my mind are those sites (and we don't know who they are) that don't even bother hashing or encrypting your passwords at all. I've seen this multiple times. I asked one guilty party about this and he told me that, "the database has a strong password." (Naturally, this strong password is stored as plain text in a configuration file). It should make you think twice about ever using the same password with multiple providers.

Another one of my pet peeves is when you've typed in your super-secret password and then the site emails it back to you unencrypted.

It drives me absolutely crazy how many sites have dumb-downed passwords. One of few things that incenses me more is error handling for passwords from the sign on screen or other credential validating screen. Having different error messages depending on what is incorrectly entered might as well tell the illegitimate user the makeup of the password.

Password security would be a great topic for a hanselminutes show.

-Phillip

If they email you an unencrypted password how do you think they may be storing said password?

I had a similar experience when I setup my account at the University Of Chicago, where I am currently getting my masters in CS.

I typed in my typical long, mixed, and complex password to have it rejected.

"Passwords must be 8 characters".

You read that right. Not LESS than 8 characters, but exactly 8 characters.

This password controls my entire life at U of C. Email, grades, registration, library check outs, logging into the wireless network, updating my immunization, opting out of their health insurance.

Anyone hoping to crack a password is saved a ton of time by knowing exactly how long the password is.

Stupid.

I just got this on a site: "Either the password is too short or password uniqueness restrictions have not been met." But, it fails to detail what the uniqueness restrictions are and how long the password must be...

A good one is Western Union. Western Union is a service for sending money anywhere in the world. A password can only be 8 characters and not contain symbols. Good grief...

my password is "incorrect". If i can't remember, the dialogbox tell me : "your password is incorrect"
:)