It boggles me endlessly when sites have draconian requirements for passwords. I use a password generator/store application called 1Password. This application lets me create crazy strong passwords for every site I interact with. This means I can ratchet up the special characters and length without any worry that I won’t remember the password. I know I won’t remember, I use a computer to do the remembering. Anyway, this works great unless I’m up against sites like T-Mobile that offer ridiculous rules:
- Must be between 8 and 15 characters.
- Must include letters and numbers.
- Must contain uppercase and lowercase letters.
- Cannot contain spaces or special characters (!, @, $, %, ‘).
So the first rule makes some sense. Short passwords are less secure. However, length of password should have no restriction because more bits means longer crack times in the case someone does get a hold of the hash. Senseless.
Requiring letters and numbers is good as is requiring upper and lower case letters. Adding more variety to the symbol set means someone trying to brute force the password will be at it for a lot longer.
No spaces or special characters… wtf? There are dozens of special characters available on a standard keyboard. Thousands if you count multi-key sequences that produce special characters. Allowing these characters would make it extremely burdensome to try to haxX0r people’s passwords.
As if that isn’t bad enough T-Mobile goes even further to make life miserable for its users: complete restriction on the input methods the user can use to set their password. In the screen shot above, you can see that the UI engineer who built this page has disabled pasting into the fields. They’ve also made the refuse to accept drag and drop text. I can’t fathom the product decision making that would require this sort of input. For me, this means that if I want to use a highly varied, randomly generated password that I would have to manually enter all 15 characters of it exactly correctly… twice. Fucking insanity. Fortunately for me at least, the HTML DOM is a dynamic place so I can just remove these dubious “features” via the web inspector and get back to what I was trying to do. This web page is a dick.