Thursday, April 12, 2007

Passwords & misinformation...

I continue to be amazed at the number of ways that people can botch signups for online services, and Dr. Dobb's Life 2.0 conference just reminded me of that.

You go to their site to register for this free conference, and you have to give them a password. The first question is "Why?" There's certainly nothing private about registering for a conference that I can see, but what the heck, I'll give them my password.

The instructions clearly say:

LIFE 2.0 PASSWORD (SIX CHARS MINIMUM)

so I carefully type in my usual "non-secure" password which has a special character included (old habit of putting in something a little less guessable, and the one I commonly use for these kinds of "Who cares?" registrations) and attempt to move on.

Up comes a dialogue box that says "Blah!"



yep, you read that right: "Blah!"

Hardly what I'd call a user-friendly response to a perfectly reasonable password that has been accepted by maybe 95% of the websites that I visit. After I click "OK" on this message (not what I would really like to tell them, but that's my only choice), they finally display "Password invalid! Please re-enter".

Notice that they don't tell me what's wrong with my perfectly valid password... just that it's wrong and I should try again.

(Un)Fortunately, I've learned that some sites -- like Dr. Dobb's site -- just don't get it when it comes to passwords. They:
  1. Don't give you good instructions on how to enter your password.
  2. Make poor decisions about what is an "acceptable" character in a password.
  3. Don't give you good instructions when things don't work as expected.
What's ironic and a little said is that their "minimum 6 characters" is almost certainly based on the idea that longer passwords are harder to guess. That may or may not be the case, but not allowing special characters makes them easier to guess.

And just why is a special character (a few sites have only a few special characters that they don't allow... go figure!) not allowed anyway? It's not like a password is going to be 'executed' and thus open the door for some kind of hack... that is true isn't it Dr. Dobbs?

Too bad... it shouldn't be this difficult!

No comments:

Post a Comment