Like any self-respecting paranoid geek, I proudly employ secure passwords whenever possible. My passwords have:
- 10 or more characters.
- letters (uppercase and lowercase), numbers, AND "special" characters.
- no words or personal information.
Oh, and I use different passwords for each of my accounts.
Recently, I tried to change my passwords for my bank, electric company, and prescription drug provider. They each had their own restrictions.
I like (a phrase, which here means, "I don't like") that they further define "special" characters. No '~', '@', '=', or ':'?
My prescription drug provider assumes their users know what "special" characters are. Oh, and they can't allow their clients to use those crazy spaces.
My electric company explicitly defines the allowable characters, but in my opinion, it is too restrictive.
They also have a nice undocumented restriction (yeah! my favorite). They don't allow passwords greater than 10 characters. They don't tell the user that until they try. I'm sure that doesn't annoy anyone.
As a software developer, I can't think of a reason to restrict a user's password. Maybe the developers were concerned about SQL Injection, which is noble, but why should the user suffer? Why restrict the password maximum length? Is disk space really that precious? Make the database column unrealistically large and forget about it.
Having to lump the developers at SourceForge.net into this short-bus-web-developer category really cuts deep. I feel like I've lost my geek innocence.
It's worse than the time I realized that Hackers wasn't a documentary.