I was going to write a longer article about stupid password requirements and other sign-in annoyances, but Jared Spool beat me to it.
Instead here’s a contribution from ourHer Majesty’s Government:
I had to shrink the picture to fit. So in case you can’t read it, it says my password must be memorable and:
- be between 8 and 12 characters
- contain a combination of letters and numbers
- contain two or more numbers which are separated by one or more letters
- not contain spaces or the word ‘password’
- not contain three adjacent letters or numbers the same (eg ‘aaa’ or ‘999’)
They commit mistake number 10. Too many requirements on the form of the password.
So, let’s pick a password. Naturally my first choice is “bob”. Typically I try and the use same password on all these stupid websites where I have to create an account; that way I have a hope of remembering what it is.
bob is too short, how about bobandbob? Oh no, must have numbers is as well.
bob777bob? Oh hold on, there’s a little logic exercise to solve: 2 or more numbers (check) which are separated by one or more letters. Oh no, 7 and 7 are separated by 7. Hmm. This is tricky. Maybe they should just suggest an example password and I’ll use that. The wording of this requirement is precise but confusing (it’s almost as if they translated the Java code into English). “Must have numbers with letters in between the numbers” would have been a clearer way to say it.
Aha, what about 7boooob7? Oh, damnit! 7bobbob7 it is then. Good job I wrote this blog post so I can refer to it when I want my password again.
At least they didn’t commit mistake number 9 and hide all these complex requirements. Unlike Livejournal, which only reveals that your password must contain a number when you reset it via e-mail. If they told me my password had to contain a number when I got it wrong, that would give me a clue as to what it is.
This sin committed by a lot of these websites that require an account is pride. They think they’re important enough for me to care about their website. So that I might actually forgive the annoying user interface and arbitrary requirements. Whereas the reality is that it’s just another tedious annoying hoop to be jumped through just to get on with whatever it was I was trying to do (get a new driving licence because I have moved house, in my case).
code monk 
2008-01-18 at 14:24:47
Favourite account sign-in design mistakes not mentioned by Spool:
– displaying my password in the clear.
– emailing my password to me in the clear.
If only I could identify these sites in advance, I would use my special “even more stupid than usual website” password.
2008-01-18 at 15:23:36
P.S. This reminds me of Adam Chalcraft’s suggestion for passwords on a shared computing facility:
When a user picks a password, the system checks that password against all other users of the system and if it matches says: “That password is already used by user SPQR1”.
Naturally it informs SPQR1 that another user is using their password. And it doesn’t stop you changing your password to that in any case.
2008-01-18 at 15:28:46
It’s unrealistic to expect people to remember lots of passwords: rather they should be expected and encouraged to write them down somewhere safe instead. Once you’ve got past that, it becomes perfectly sensible to assign new users a random password of adequate strength and accept that they’ll write it down rather than try to memorize it. Most probably have a better idea how to hide a bit of paper than choose a strong password even with instructions anyway.
2008-01-18 at 17:19:10
Why should I be expected and encouraged to write down my password for some non-entity of a website that I’ll probably never visit again?
Last time I looked, the password manager in my Firefox had passwords for several dozen websites.
Of course, most of them are ‘bob’.
2008-01-18 at 18:30:21
If you’re never going to visit again, you can optimize out the “write it down” pretty easily!
2008-01-20 at 21:13:59
– you can optimize out the “write it down”
This is in fact what I do for some websites which I visit for important purposes but infrequently (e.g. domain management): I go the “forgotten my password” route to reset it to something random every time. My threat model doesn’t include caring about anyone snooping on my email traffic.
2008-01-25 at 16:42:41
#!/bin/sh
# make-password — prints 16 byte random hex string for use in web passwords
# $Id: //info.ravenbrook.com/user/rb/config/quail.ravenbrook.com/bin/make-password#1 $
exec hexdump -n 16 -e ’16/1 “%02X” “\n”‘ /dev/random
2008-01-31 at 16:32:11
“Must be between 8 and 12 characters” :-P
Nice script though. Why do you need the ‘exec’?
2008-02-06 at 20:07:10
You don’t need the exec, I suspect it is a burned-in microoptimisation from the days when it actually mattered.
2008-02-21 at 15:44:37
Oh, I see. So that when hexdump finishes it doesn’t need to return to the shell before terminating the script.
I’ve noticed recently that some python programs take absolutely ages to terminate after they’ve finished all the useful work. yum and scons are particular culprits.
2008-05-14 at 15:39:06
An interesting example of convergent evolution – unless Adam Chalcraft stole the idea from us.
The “your password is already in use by XXXX” was one of many ideas we came up with when brainstorming the new engineering password facility, when I worked there as a CO.
We were trying to sync passwords across the department and its systems. There was no software that would do it properly and, because NT passwords were stored as hashes that were password equivalents, we decided we might as well store the actual password somewhere securely, which made the joke make more sense.
We also suggested a list of 10 really good passwords which we could write up on a board in the main computer room, such as %8t&y4rf88as$_i for instance.
2009-05-22 at 09:32:05
@mjb: the
execis a tail call optimisation. It comes naturally to some folk, I guess.