Specific Password Requirements

Republished from The One with the Thoughts of Frans (external link).

Have you ever visited a website with specific password requirements? Nearly every website has requirements for minimum length. Various websites want capital letters, numbers, or - more commonly - both. In itself, this isn't so bad, but I keep forgetting all of these requirements. Websites should list their password requirements on places other than when creating an account and when changing said password. I don't want it to pollute the main page or the login interface, but when I enter the wrong password, I want to be informed of these requirements.

Note: I'm not a fan of capitals in passwords actually, but I recognize that they may make passwords more secure. However, I very much doubt that EaRLGr3Y is more secure than m4h.d0gg.has.bad.br3ath!. I must admit that I didn't run any password generation tests, though. Regardless, it would be easy to throw one or more capitals in there and that's not the problem.

I have a password formula that I consider to be secure and it is based primarily on length. Small sentences are easy to remember for me and it's not terribly hard to remember where to alter a few things to make it a secure password. My primary caveat is with pages that have (in my opinion) ridiculous maximum length requirements. I've managed to come up with a 12-character password for this issue because, in my experience, most of my issues seem to be related to this maximum password length. However, this has significantly impaired my ability to incorporate a capital somewhere. Anyway, enough of that. The problem is that when I go to a site with such annoying requirements, I try to log in with one of my usual set of passwords and fail. Of course, to make matters more annoying, after three failed tries they lock up for 30 minutes. Most of this could have been avoided by what I have said above. If, for some reason, you see the need to restrict password lengths, inform me when my login fails.

In summary, after a failed login I want to see something in the spirit of the following:

Login failed. Are you sure you've entered the correct username and password?

- If you forgot your username, you can enter your e-mail address to have it e-mailed to you.
- If you forgot your password, you can request an e-mail with a link that will enable you to change your password, but, before you do so, please consider:
- The password needs to be at least 8 and at most 12 characters long.
- The password needs to contain a capital letter.
- The password needs to contain an integer.
- The password needs to contain one of the following symbols: ;:.?`
- And so on and so forth...

If you thought that this was primarily a rant about requirements on passwords that I consider unfortunate, you are correct. While I can imagine that it might not be easy to fix this issue, my proposed semi-solution is easy to implement. Given the nature of hashes, there's no practical reason to enforce a maximum password length, so please don't. Aside from that, I'd still like to be informed when capitals are required.