DISQUS

dmiessler.com | grep understanding: The List Of Shame: Websites That Don’t Allow Special Characters In Their Passwords

  • E · 2 years ago
    Ok, maybe it's trivial to implement, but I don't think the benefits are much, for the reasons you mentioned. Plus, you are using a bad password generator if it doesn't allow you to change its settings to, e.g., not use special characters.

    What's much more shameful, imo, are corporations, etc. that make users change their passwords every month. That's absolutely terrible.
  • Tim · 2 years ago
    I remember once (a long long time ago) I was installing some version of linux, and when I put in my password for the root account it told me the password was too long and I had to pick another one.
  • Jared · 2 years ago
    "The ones that stand out are the financially-oriented sites, obviously, but the fact that Digg doesn’t allow special characters just blows my mind (Reddit does). "

    Becareful of taking a holier than thou attitude, while you can use special characters in reddit, they are stored plain text in their database despite the fact that their backups containing the passwords were stolen from the back of a van a few months ago.
  • yoshi · 2 years ago
    @E

    If is so trivial to implement than why -not- do it?

    Allowing a wider character set for the password allows the user to choose a complex passphrase that they are more likely to remember or more familiar with. I'll bring up the example of the so called "security questions" (used by ING, BoA and half the world). If asked for the "City of your Birth" and you can't enter in "St. Louis" because the tool won't allow the "." (period) than I've just created an exception to something I know and can remember. The next time I'm asked that question I'll screw it up. This is basic usability.

    I find it interesting that we continue to argue about this topic. Just the other day I attempted to log into an application and it wouldn't allow me in. My first theory (and the correct one it turned out) was the back end system was an older Oracle system. My password just happened to have an '@' sign in it. Its 2007 and we can't even get escaping the password correct.
  • chris · 2 years ago
    Your post reminds me of this blog entry here:
    http://blogs.ittoolbox.com/security/investigato...


    It's just as important, if not more, to allow your visitors to login securely. Even if your password was 27 characters and completely random, a sniffer will log it just as easily as a short, easy password.


    @Jared

    Bloglines stores their passwords in clear text, also. I've had to have them send it to me a couple of times and instead of sending me some random garbage, they send my real password to me. Good security, indeed.

    That's why it's important to use different passwords. If someone compromises one, they just have access to that one resource.
  • Matt · 2 years ago
    This annoys me also. I get angry when sites don't even allow spaces or punctuation. I use phrases (around 3 or 4 words) for my passwords since they are easy to remember. The length also makes dictionary attacks infeasible, so I can use regular words.
  • Matt · 2 years ago
    "Becareful of taking a holier than thou attitude, while you can use special characters in reddit, they are stored plain text in their database despite the fact that their backups containing the passwords were stolen from the back of a van a few months ago."

    I believe you are mistaken. After they lost the backups and everyone yelled at them they implemented password hashing.
  • Jared · 2 years ago
    Matt you're right I haven't actually tried the feature since they changed it but the wording on the front page implies that it's still stored plain text. My bad.