Naive users most commonly take the brunt of bad online security. Everyone complains that we, the users, don’t choose strong enough passwords; that we don’t change our passwords often enough; that we pick passwords that are easily guessed based on personal information and yada yada yada.

Now, being a computer science professional, I’m reasonably paranoid about my passwords. However, I’m not quite that serious about them either. For instance, I largely just use two passwords: one “difficult” passwords, for places that I care about, and one “easy” passwords, for places I don’t care about. Both the passwords are between 8 and 10 characters long. And I have been using them for quite some time now (read years).

So I figured it was time to update my passwords and be a little more careful about it. So I went around updating my passwords. Well, it turns out that setting a strong passwords is not as easy as it sounds. Here are some of the problems I encountered:

* **Upper limit on the length of the password**: This one is completely beyond me. Why, oh why would you ever //need// to do this? Sure, you might //want// to do this (for storage reasons, for preventing bots from doing buffer overflow attacks or whatever) but do you really need to **enforce** it? Countless websites (prominent ones include AT&T, Chase.com among others) have an upper limit on the length of the password. This is very annoying, specially if I have come up with a new password that I’m quite happy with, but it happens to be 2-3 characters over on some of these web sites. Do you really think someone will use a password that is more than 30-50 characters in practice? If you absolutely must put an upper limit, at least use something sensible like 100 or 200. Limits of 12, 16 or 18 characters are just plain stupid.
* **Disallowing spaces and “special” characters**: This is absolutely killer. On one hand, I’m being asked to choose a strong and secure password. On the other hand, I’m also told that I can’t use spaces, punctuation, parenthesis and any other “special” characters. Now, one really easy way of choosing a secure password is to actually use a passphrase or a complete sentence (including punctuation) — they are notoriously hard to break, even if the individual words of the sentence are simple. But if I am forced to not use phrases or sentences, the only thing I can do is use some alphanumerical word, which inevitably is something small and easy to remember and consequently, much easier to guess/break. Am I to understand that the likes of Chase have such bad backend code that they can’t handle special characters in passwords?!! Give me a break!

I urge you all to act as responsible users. If you use a service which prevents you from setting a secure password, stop using that service or at least bring the fact to their attention. Users have long been blamed for online security issues, but the service providers are equally responsible. It is time to call them out and make them fix these issues.