Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer

Suggestion on Password Criteria


Xiferanze's Avatar

03.05.2013 , 10:53 PM | #1

I just wanted to leave a quick note, before I forget, as this just happened to me.

Summary: I feel the change password forms in your account and when resetting a password need to tell you the allowed characters and min/max password length.

As I point out in the details I unknowingly generated invalid passwords and received no indication they were not entered as expected.

I got the email about the login changes and while logged in decided to update my password for better security.

I now use a secure password management utility and generated a 20 character long password.

However I had no indications on any limits and did not know that passwords are limited to 16 characters in length.

I reset my password to no avail, because I was still unaware and received no indication of password limits(such as allowed characters or min/max length) and so used too long a password again. The system seemed to stop responding to my reset password requests, I probably exceeded some limit, which is fine.

I eventually got the idea to try logging in over an over removing characters and finally was able to login in again, and now I'm here typing this. I just was hoping to give you this suggestion and let you know of my experience so you could potentially improve the user experience in the future. And also to hopefully help anyone else who happens to run into the same issue.

Thank you for your time.

dekeonus's Avatar

03.06.2013 , 03:28 AM | #2
I second this! far too many websites have password validation systems that don't let the user know the valid character set (or at least invalid characters).
Not checking the input buffer was longer than the allowed length is just poor security coding. If you are checking and just not doing anything to inform the user AND REJECT the password choice that is just poor UI design.

Just how secure is the password database in reality if even these basic failures of system design are being made?
ERROR: reality.sys not found, universe halted!