Pain in the Tech : User-interface gripe: password requirements

User-interface gripe: password requirements

Posted by Matt Thommes on November 20, 2009 | Post type: Pain | Status: Unresolved

Some systems require that you make a complicated password. Algorithm's are used to decide if a password is weak or strong, based on length, and mixture of upper/lower case letters or alpha-numeric characters.

Screenshot of password creation form

In many cases, you can't even proceed until you create an extra-complicated password.

Since when did it become the duty of the system to make sure I provide a hard-to-guess password? It used to be that responsibility fell on the user.

I think this is bad design. It's not only difficult and frustrating to have to figure out what an "allowed" password must contain, it impedes users from actually using the application.

Not only that, but if you work in a technical field, handling customer support, it's likely you'll need to create "test" accounts to log into certain systems. These would be temporary accounts that get removed immediately after diagnosing the problem, and often use passwords such as "test," just to get into the system quickly.

From a technical background, I understand the need for security, but if it impedes experienced professionals from diagnosing a problem, then it's a bit too much.

Since there is no official "standard" for what a "good" password must contain, every system handles it their own way. This means that for every site or system I register with, I have to figure out, all over again, how to create a good password.

A particular MySQL database host requires seven characters, and "rates" how strong my password is, without telling me anything else, but still denies me if my password is not "strong enough." Should I use more numbers, or more upper-case alpha-characters?

A certain banking site requires at least five characters, two of which have to be a number, and at least one upper-case character.

All these "requirements" have my head spinning, when I just want to use the application!

A better approach would be to use OpenID for commercial sites, or another idea would be to only let the "bad" passwords last for so long, and then require users to change them to continue using the application. So, I could gain temporary access with an "unapproved" password, but only access the system for so long, like an hour.

But until these improvements are considered, please let me supply whatever weak password I want!

About the author(s)

Matt Thommes is an independent publishing enthusiast, mobile blogger, content creator, informative writer, web developer from a suburb of Chicago. Never one to conform, Matt intends to promote the effect the web has on our lives, in an effort to intensify, instruct, and clarify all that is happening around us.

Comments

Note: Comments may be viewed by authors, but if you have a more specific question you'd like to ask them, please email matt.thommes@paininthetech.com.

Your comment

Your info

Name:
Email (optional):
Follow new comments via email?
Email your comments to yourself?
URL:

Update Twitter

Tweet this

140/140 characters remaining

To quickly post about this on Twitter, sign in to Twitter first using the button on the left. Then, confirm that you'd like to allow this site to update your Twitter status. You'll be able to edit your tweet before submitting, and your tweet will show up on this page as another comment.

Spam check

Fill in the blank: Pain in the ____ (hint: tech)

Hide right column -»

Previous: MySQL: search for specific column names
Next: Archiving Gmail on iPhone through IMAP

Quick Link to this post

TTIP.me/2252