When the company decides to change their password handling and implements it poorly.
Case in point: I used to have a "strong" password (i.e., one that's harder to guess because I have used special characters and relatively random selection of characters) at DirecTV -- "gt*9facts" (not my real password, of course). I've used my strong password for well over a year now with absolutely no problems. BTW, if you want a few pointers on creating a strong password that's easier to remember, visit http://www.4mypasswords.com/welcome/tutorial. Or see the Wikipedia entry on strong passwords.
Just the other day, I needed to login to my DirecTV site and entered that password: it failed. I tried several times (I can make typing mistakes :-) but to no avail. I finally clicked the "Forgot your password?" link, thinking that maybe I had changed the password and forgotten about it.
Imagine my surprise when the email from DirecTV told me that my password was, in fact, "gt*9facts"! Even cutting/pasting from the email into the website yielded a password failure.
Searching through the site, I finally found that they now had a policy that you could only use alphanumeric characters in your password -- that is, the "*" in my password was invalid.
So what went wrong here?
- First, DirecTV implemented their change poorly. It's one thing to require new visitors to use the new requirements -- that's a simple change to the input validation scheme. It's totally another thing (and poor user interface design) to also change the processing of an existing password to exclude already-accepted characters. At the very least, what they should have done is allow existing passwords to continue to work; much less hassle for their users.
- Second, DirecTV sent out a bad "Here's your password" email. If they implemented the change they did, then they should have put smarts into the rest of their password system. What they could have done is parse the password, note newly invalidated characters and either: (i) pointed out the problem and provided a link to automatically generate a new password; or (ii) modified the password, replacing those invalid characters with a standard replacement.
- Finally, DirecTV reduced the ability of their users to generate strong passwords. Granted, many users do not generate strong passwords. However, please don't take away that capability for those of us who do want flexibility in generating good passwords. Better security is better.
Not the right way to treat a customer!