An Open Plea to Creators of Login Pages

Sep
15
2008

I just reset my password on the ASP.NET forums for the 6th time. I know that it's been 6 times because I can see archived emails proving that point. However, none of those emails gave me a clue to either what my changed password was or why I keep needing to change it.

So, I reset the password yet again and went to my email to click reset link #7. When I went to choose a new one, I was immediately reminded of why I forgot my password and why I will likely continue this cycle of resetting the reminder finally sticks.

I put in one of my "normal" passwords that I use for things like forums and was greeted to what jogged my memory:

Invalid password. All passwords must be at least 6 characters long and contain at least 1 uppercase character, at least 1 lowercase character, and at least 1 numeric character (digit).

I've since gone back to create a new account as a test and this message is nowhere on any of the following:

  • The registration page.
  • The "Lost your password?" page.
  • The reset password page.
  • etc.

Of course, if this was a singular instance of this problem, I'd probably just move on, irritated. However, this kind of thing is nearing universality as web sites and web applications start pushing for password policies. This is just one of the best examples of how to do it wrong.

I'm not going to get into whether the policies themselves make sense. Heck, in some places in the world, password policies are making it into banking legislation, removing the option from doing it any other way.

However, if you're going to enforce a password policy that is anything other than "whatever you feel like entering", it is your job to help the people who are interacting with your site remember the conditions when they created that password.

So, PLEASE, if you are building such a site, with such a password policy, display that policy whenever my login fails, whenever I might be about to reset or request that you send me a new password, when I register and, quite frankly, whenever the username and password boxes appear on your site. It would make the world a better place.

Posted in Essays and Rants, General Internet, Web Development | 1 Comment »

 

Comments on this post

Feedback is always welcome. Read some from other folks or leave your own below. Just keep things civil and remember that what you post lives on in public. Forever.

Thanks,
J

One Response to “An Open Plea to Creators of Login Pages”

  1. Picky Password Policy Pet Peeve | Garrick Van Buren .com Says:
    November 21st, 2008 at 11:46 am

    [...] This difference even exists between the service provider and the person using the service – as J Wynia describes. [...]

Leave Your Own Comment

By submitting a comment, you agree to license it under the terms of the Creative Commons Attribution license.

People who post comments get the added benefit of visiting the site without advertising.

© 2003-2010 J Wynia. All original content is licensed under the terms of the Creative Commons Attribution license unless otherwise noted. Content from other sources is licensed under its original terms.