Originally published on: 9/15/2008 2:01:11 PM
So, I reset the password yet again and went to my email to click reset link #7. When I went to choose a new one, I was immediately reminded of why I forgot my password and why I will likely continue this cycle of resetting the reminder finally sticks.
I put in one of my "normal" passwords that I use for things like forums and was greeted to what jogged my memory:
Invalid password. All passwords must be at least 6 characters long and contain at least 1 uppercase character, at least 1 lowercase character, and at least 1 numeric character (digit).
I've since gone back to create a new account as a test and this message is nowhere on any of the following:
Of course, if this was a singular instance of this problem, I'd probably just move on, irritated. However, this kind of thing is nearing universality as web sites and web applications start pushing for password policies. This is just one of the best examples of how to do it wrong.
I'm not going to get into whether the policies themselves make sense. Heck, in some places in the world, password policies are making it into banking legislation, removing the option from doing it any other way.
However, if you're going to enforce a password policy that is anything other than "whatever you feel like entering", it is your job to help the people who are interacting with your site remember the conditions when they created that password.
So, PLEASE, if you are building such a site, with such a password policy, display that policy whenever my login fails, whenever I might be about to reset or request that you send me a new password, when I register and, quite frankly, whenever the username and password boxes appear on your site. It would make the world a better place.