Back to thoughts

The Password Rant


If you run a website with an authentication system, please read this. It's about passwords and it's important.

Stop putting arbitrary character limits
If you use bcrypt or any sufficiently effective hashing method, you basically don't need a character limit. Yes, after a certain amount of characters (55 for bcrypt), the hash won't change. But to put a 15 or 18 character limit, less than half of the allowed amount, is unforgivable. Also, your minimum character count doesn't need to be 18. Just set it to 8.

Accept all characters
Why is it that some sites limit the special character types that you can use? Like they'll say "Sorry, '*' is not allowed. Allowed symbols: [email protected]#$%"

Can we get some logic behind this? Just allow any character. Again, if you're using a decent hashing method, it won't matter. And yes, you should allow spaces too.

Make your requirements visible
If you are going to ask for 2 upper case letters, one lowercase, at least 15 characters, a number, no more than 3 consecutive characters, no common words, and only certain symbols, just tell me. Don't make me figure it out after trying 10 different passwords. "Weak password" doesn't tell me anything about your requirements.

Make your login page password-manager-friendly
A lot of people use services like Dashlane, LastPass, and 1Password nowadays. The list of logins people have is growing bigger and no one can remember all of those passwords. If you never tested your site with a password manager to make sure that it's able to autofill and isn't blocked by some poorly written controlled component, I will shed a tear and then leave your website.

Don't make me reset my password every x months
If you require your users to reset their password every 3 months, stop it. Various studies have been done on this and it's been shown that you don't get any extra security by resetting your password every 3 months. Just force the user to create a good password and they'll be fine.

If I ever find out you're storing passwords in plain text...
I saw this recently. The website emailed me my password after I created an account. Stop it. Hash. Your. Passwords. Now, I know that just because you get your password emailed to you, it doesn't necessarily mean they are storing it in plain text. But if you're emailing passwords, I'm going to assume you don't know how to properly hash them either.

Stop with the security questions
This one might be unpopular since Apple and some banks do it, but please stop this. If I want to reset my password, send a link or code to my email. If I somehow can't get into my email, too bad. Knowing the name of my first pet and the model of my first car should not allow someone into my account.

Let people use the same password twice
This one might also be unpopular since lots of big companies do it, but in my opinion, it shouldn't matter if you use the same password twice. Most people aren't tech-savvy and probably aren't using a password manager. They're using a password like MyKidsName444. Let them use that password. If you make them change it to a new one, they will forget and you will need to spend resources helping them reset it to something else that they will forget (I've worked at the Apple Store, I know this).

Don't send me a temporary password
This happens so often. I don't even know why. In what universe would you have to send me a temporary password with random characters and then ask me to reset it after I type it in. Either provide a link or if you think I'm already on the page, send me a 4 digit code that expires in 10 minutes. And those sites that send you a temporary password and don't ask you to reset it... Oh my.

Don't show me my password unless I ask for it
Amazon does this. I also saw this happen with Headspace a few days ago. Stop it. Passwords are supposed to be secret. I don't want someone looking over my shoulder to be able to straight up read my password. What if you're in a public place and there are cameras?

On usernames
I know this is supposed to be about passwords, but let me rant about usernames real quick.

  • Stop requiring numbers in usernames. It doesn't make it more secure
  • Stop requiring uppercase letters
  • On your login page, the first field should either be "email" or "email or username." Not just username
  • Stop requiring it for resetting passwords. An email is enough. People forget usernames all the time
  • Tell me if a username is available or not before I click sign up. Have a small delay to see if I've stopped typing and then check
  • Let people change their usernames. Believe it or not, this goes for emails too