Okay.  Having just attempted to change my password on a site which shall remain nameless, and having my desired password be rejected, I confess that I’m upset.  My grandmother told me never to write angry, but I’m going to ignore that advice for a moment.

Why is it that some website designers, in their supposed infinite wisdom, decree that they know better than their users what can comprise an acceptable password?  It’s my password, it’s my account, it’s my information: let me secure it how I want.  It’s bad enough when you get a message that your password is not secure enough to meet the lofty requirements of the site:

“Your password is too easy for you to remember, please add more punctuation and numbers and capital letters, and don’t use any words out of the dictionary.  Here’s a suggestion for your password: @#$S59u01Cxx7*(6. Perfect! We’ll just set that for you, rather than the password that you chose.”

Do these masters of security not realize that the first thing that happens when you force someone to use a completely incomprehensible, completely non-intuitive password like that is that the user WRITES THE PASSWORD DOWN???!! How on earth is this secure?  Indeed, I submit that these types of passwords are actually less secure, because they are not easy for the person to remember, and therefore leave records for someone else to discover.

Worse, though, from my perspective are those designers that decree from their lofty perches that your chosen password can’t be used because those same designers have decided that their users’ passwords must be constructed from a very limited set of allowable characters:

“I’m sorry, but your secure password is not acceptable because you must make your password out of only lower-case letters and numbers.  Here’s a good password for you: pa55w0rd

No one will ever, ever, ever guess that one, we promise!”

Dammit, get over yourselves.  Just let me use the password that I want to use, please, and let’s both move on about our business.

By the way: when I encountered the first type of message this morning, the password that I had wanted to use was this: ‘I like gibberish.’ That’s right: it was a passphrase, rather than a password: easy and intuitive for me to remember, but very difficult for someone to guess, and also difficult to crack.  Brute-force tactics against that password would statistically take many more years to break it than either I or the designer of the site would likely be alive, but it was decreed to be unsuitable because it contained no numbers.

When I encountered the second type of message this morning, the password that I had wanted to use was this: ‘Twas brillig, and the Hobbits did roam.’ Which was rejected because passwords for that particular site had to be eight characters or less and comprised of only A-Z, a-z or 0-9.

So, putting on my professional’s hat for a moment, to give a small piece of advice to website designers:

1. Let your user choose whatever password they want.
2. It doesn’t matter to you what characters are in it, or how long it is, because you shouldn’t store that actual password at all.
3. You should store an irreversible hash of the password, instead, which, when done correctly will:
   1. produce a value of a known and constant length.
   2. not reveal your user’s actual password in the event of your database being compromised by an attacker.
4. All pages involved in either creating the password or logging in with the password should be on pages protected by SSL.
5. You should then compare the hash of what the user submits to you to the hash you’ve stored in the database.

Okay, rant finished.