The Glass is Too Big - Home

An Open Plea to Creators of Login Pages

Originally published on: 9/15/2008 2:01:11 PM

I just reset my password on the ASP.NET forums for the 6th time. I know that it's been 6 times because I can see archived emails proving that point. However, none of those emails gave me a clue to either what my changed password was or why I keep needing to change it.

So, I reset the password yet again and went to my email to click reset link #7. When I went to choose a new one, I was immediately reminded of why I forgot my password and why I will likely continue this cycle of resetting the reminder finally sticks.

I put in one of my "normal" passwords that I use for things like forums and was greeted to what jogged my memory:



Invalid password. All passwords must be at least 6 characters long and contain at least 1 uppercase character, at least 1 lowercase character, and at least 1 numeric character (digit).



I've since gone back to create a new account as a test and this message is nowhere on any of the following:



  • The registration page.

  • The "Lost your password?" page.

  • The reset password page.

  • etc.



Of course, if this was a singular instance of this problem, I'd probably just move on, irritated. However, this kind of thing is nearing universality as web sites and web applications start pushing for password policies. This is just one of the best examples of how to do it wrong.

I'm not going to get into whether the policies themselves make sense. Heck, in some places in the world, password policies are making it into banking legislation, removing the option from doing it any other way.

However, if you're going to enforce a password policy that is anything other than "whatever you feel like entering", it is your job to help the people who are interacting with your site remember the conditions when they created that password.

So, PLEASE, if you are building such a site, with such a password policy, display that policy whenever my login fails, whenever I might be about to reset or request that you send me a new password, when I register and, quite frankly, whenever the username and password boxes appear on your site. It would make the world a better place.

Comments

Picky Password Policy Pet Peeve | Garrick Van Buren .com
commented on 11/21/2008
[...] This difference even exists between the service provider and the person using the service - as J Wynia describes. [...]
blog comments powered by Disqus
© 2003- 2010 J Wynia. Very Few Rights Reserved.