DISQUS

Hello! dmiessler.com | grep understanding is using DISQUS, a powerful comment system, to manage its comments. Learn more.

Community Page

dmiessler.com/ Jump to website »

Subscribe
- New Comments
Community
Top Commenters
- Daniel Miessler
  1031 comments · 2 points
- CarlM
  514 comments · 2 points
- cooperati
  179 comments · 1 points
- arikb
  89 comments · 1 points
- brooksgarrett
  52 comments · 1 points
Popular Threads
- Considering Using danielmiessler.com Instead of dmiessler.com
  4 weeks ago · 8 comments
- Republicans: The Modern Dixiecrats?
  4 weeks ago · 8 comments
- Music | Mastodon: Crack the Skye
  4 weeks ago · 4 comments
- Outbound Number Translation Coming to Google Voice Soon
  3 weeks ago · 3 comments
- Wireless: WPA2 Enterprise Integration With Active Directory 2008
  4 weeks ago · 3 comments
Recent Comments
- I think this is a very helpful link. It fixes all the keyboard mapping problems. Even for VMware server 2.0 http://communities.vmware.com/message/1091425
  3 weeks ago by Mario R Mena
  
  in VMware Server 2.0 For Linux Doesn’t Have a “Send Ctrl-Alt-Del” Button
- Test.
  3 weeks ago by Daniel Miessler
  
  in Testing the New Domain
- "Yes, it helps people through altered perception of the world, but so do three glasses of wine." ___ Oh, so atheists do not drink alcohol because it is too much like religion?...
  3 weeks ago by SayBlade
  
  in Atheism Argued Successfully by Two Quotations
- burden is on those who make the assertion, not on those who deny
  3 weeks ago by Adam
  
  in Atheism Argued Successfully by Two Quotations
- • Theism is not a religion. Atheism is not a religion for the same reason. 'Theism' is an abstract noun which refers collectively to each organized religion which espouses the existence of...
  3 weeks ago by anti-supernaturalist
  
  in The Definition Of Atheism, And Why It Is *NOT* A Belief

dmiessler.com | grep understanding

dmiessler.com/about/

Jump to original thread »

The List Of Shame: Websites That Don’t Allow Special Characters In Their Passwords

Started by Daniel Miessler · 7 months ago

It’s 2007. There’s absolutely no excuse for websites today to not allow special characters in their passwords. Whether you use a memory scheme or an encrypted database application for generating and storing your passwords, it’s highly annoying when you come acro ... Continue reading »

8 comments

E
2 years ago

Ok, maybe it's trivial to implement, but I don't think the benefits are much, for the reasons you mentioned. Plus, you are using a bad password generator if it doesn't allow you to change its settings to, e.g., not use special characters.

What's much more shameful, imo, are corporations, etc. that make users change their passwords every month. That's absolutely terrible.

reply

Tim
2 years ago

I remember once (a long long time ago) I was installing some version of linux, and when I put in my password for the root account it told me the password was too long and I had to pick another one.

reply

Jared
2 years ago

"The ones that stand out are the financially-oriented sites, obviously, but the fact that Digg doesn’t allow special characters just blows my mind (Reddit does). "

Becareful of taking a holier than thou attitude, while you can use special characters in reddit, they are stored plain text in their database despite the fact that their backups containing the passwords were stolen from the back of a van a few months ago.

reply

yoshi
2 years ago

@E

If is so trivial to implement than why -not- do it?

Allowing a wider character set for the password allows the user to choose a complex passphrase that they are more likely to remember or more familiar with. I'll bring up the example of the so called "security questions" (used by ING, BoA and half the world). If asked for the "City of your Birth" and you can't enter in "St. Louis" because the tool won't allow the "." (period) than I've just created an exception to something I know and can remember. The next time I'm asked that question I'll screw it up. This is basic usability.

I find it interesting that we continue to argue about this topic. Just the other day I attempted to log into an application and it wouldn't allow me in. My first theory (and the correct one it turned out) was the back end system was an older Oracle system. My password just happened to have an '@' sign in it. Its 2007 and we can't even get escaping the password correct.

reply

chris
2 years ago

Your post reminds me of this blog entry here:
http://blogs.ittoolbox.com/security/investigato...

It's just as important, if not more, to allow your visitors to login securely. Even if your password was 27 characters and completely random, a sniffer will log it just as easily as a short, easy password.

@Jared

Bloglines stores their passwords in clear text, also. I've had to have them send it to me a couple of times and instead of sending me some random garbage, they send my real password to me. Good security, indeed.

That's why it's important to use different passwords. If someone compromises one, they just have access to that one resource.

reply

Matt
2 years ago

This annoys me also. I get angry when sites don't even allow spaces or punctuation. I use phrases (around 3 or 4 words) for my passwords since they are easy to remember. The length also makes dictionary attacks infeasible, so I can use regular words.

reply

Matt
2 years ago

"Becareful of taking a holier than thou attitude, while you can use special characters in reddit, they are stored plain text in their database despite the fact that their backups containing the passwords were stolen from the back of a van a few months ago."

I believe you are mistaken. After they lost the backups and everyone yelled at them they implemented password hashing.

reply

Jared
2 years ago

Matt you're right I haven't actually tried the feature since they changed it but the wording on the front page implies that it's still stored plain text. My bad.

reply