Don’t vet Passwords!

I’ve designed loads of forms in my time, some for collecting random data, some for logging in, and some for user sign up. I usually employ form validation to make sure it’s a valid email, and a valid phone number etc, but I never check the password (unless it’s for length). I myself like to sign up to each and every service I come across and generally I’m satisfied with what I get in terms of form design. However there are some websites that tell me that my password can only contain letters and numbers! Most of my passwords are 17 characters or longer, with letters, numbers and symbols, so when a site tells me I should effectively make my password less secure I get really annoyed.

Companies like Google and Microsoft never stop telling up to make our passwords more secure, Facebook and Twitter say the same, so why on Earth should websites be asking us alter them? I for one cannot see why developers are intent on doing this? MySQL Injection – no! Unless of course they’ve never heard of mysql_real_escape_string(), but I doubt that.

So what I really want to say is this – don’t ask users to exclude certain components from their passwords! And if you know the reason for this travesty, please feel free to comment and make me look like an idiot 😉