“To set, or not to set: that is the question:
ChatGPT4, in a Hamlet type of mood
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous password rules,
Or to take arms against a sea of hackers,
And by opposing, end them? To change, to forget—
No more; and by a forget to say we end
The heartache, and the thousand natural shocks
The memory is heir to: ’tis a consummation
Devoutly to be wished. To change, to forget—
To forget, perchance to dream—ay, there’s the rub:
For in that forgetfulness of death
What dreams may come when we have shuffled off
This mortal coil of alphasymeric chains”
Passwords are old hat, we know this. They were old hat in the 1980s when SecurID tokens first became available. However, there is one specific issue with passwords which is really driving me nuts: hidden password rules.
These days, most people with any intention of holding on to their sanity will be using some form of password manager or password vault. This makes it easy to have unique, complex, autogenerated passwords for each site that insists on us setting one up. And that is a good thing, because sharing passwords between sites is definitely a bad thing.
It is absolutely up to each individual site to decide what the rules are for its passwords – length, complexity, character classes which must be included, and disallowed characters.
I have no problem with this. But tell us the rules before asking us to create a password!
This is something I’ve come across on many sites: they ask for a password, you give them a password, then they tell you what the rules were because you failed to comply with the hidden rules and your candidate password is rejected.
That’s just plain bonkers, and, I suspect, coded by someone who either has some deep-rooted issues that badly need sorting out or is a very poor programmer.
It Gets Worse
But today a site I had to set a password on managed to eclipse all those other sites with its sheer attitude which I choose to describe one of a Rigid Taxidermist Policy ie stuff everyone!
Here is the complete error message I got after putting in a nice strong password.
That was it. There are hidden password rules, and it isn’t even telling me what symbols are, or are not, allowed, let alone what other arbitrary and bizarre rules it may have.
It’s taking the piss good and proper, and it feels like there is some insane Blackadderesque character enjoying every moment of confusion and anguish. Even common symbols seemed to be rejected and, eventually, I gave up and stuck to uppercase letters, lowercase letters, and uppercase numbers1. Not a symbol in sight.
I decided, narrowly, against naming and shaming the site concerned. But instead I am awarding them a little trophy.
What Can Be Done?
Any site developers out there: please ensure that password rules are explained clearly up-front!
Anyone commissioning a website out there: please ensure that this is specified in the requirements!
Anyone who meets situations like these: please, if you can bear to, a short polite note to the site administrators can alert them to this annoying behaviour and, who knows, maybe get it resolved?
Rant over.
Footnotes
- Yes, really. The ones you tend to get by default are really akin to uppercase. The older style ones are much more lowercase-like!
↩︎
Gânduri Eclectice - Eclectic Thoughts 