The One with the Thoughts of Frans

Password Shaming Monkop

Twenty characters? Get out of here.

Here’s what my password manager has to say about operating in such conditions.

To make matters worse, Monkop thinks + is an invalid character in e-mail addresses.

Definitely an excellent first impression so far.


The password has to be at most 10 characters long

At least they were nice enough to abide by my rules. 🙂


Password Shaming

I’d swear I had a account associated with Diablo II and Starcraft in the early 2000s, but either it was deleted due to nearly two decades of inactivity or I used some e-mail address I don’t remember anymore.

But anyway, a 16 character maximum? How am I supposed to work with that? Grmbl.

And then we get these “secret” questions.

So now I theoretically also have to save fake answers in my password manager?

But look, it’s all okay, because there’s SMS Protect!


To sum up, 16 characters is probably sufficiently secure, but why would you ever make that a maximum?


Specific Password Requirements

Have you ever visited a website with specific password requirements? Nearly every website has requirements for minimum length. Various websites want capital letters, numbers, or — more commonly — both. In itself this isn’t so bad, but I keep forgetting all of these requirements. Websites should list their password requirements on places other than when creating an account and when changing said password. I don’t want it to pollute the main page or the login interface, but when I enter the wrong password I want to be informed of these requirements.

I have a password formula that I consider to be secure and it is based primarily on length. Small sentences are easy to remember for me and it’s not terribly hard to remember where to alter a few things to make it a secure password. My primary caveat is with pages that have (in my opinion) ridiculous maximum length requirements. I’ve managed to come up with a 12 character password for this issue because in my experience, most of my issues seem to be related to this maximum password length. However, this has significantly impaired my ability to incorporate a capital somewhere

. Anyway, enough of that. The problem is that when I go on a site with such annoying requirements I try to log in with one of my usual set of passwords and fail. Of course, to make matters more annoying, after three failed tries they lock up for 30 minutes. Most of this could have been avoided by what I said above. If, for some reason, you see the need to restrict password lengths, inform me when my login fails.

In summary, after a failed login I want to see something in the spirit of the following.

Login failed. Are you sure you’ve entered the correct username and password?

  • If you forgot your username, you can enter your e-mail address to have it e-mailed to you.
  • If you forgot your password, you can request an e-mail with a link that will enable you to change your password, but before you do so, please consider:
    • The password needs to be at least 8 and at most 12 characters long.
    • The password needs to contain a capital letter.
    • The password needs to contain an integer.
    • The password needs to contain one of the following symbols: ;:.?`
    • And so on and so forth…

If you thought that this was primarily a rant about requirements on passwords that I consider unfortunate, you are correct. However, I can imagine that it might not be easy to fix this issue, whereas my proposed semi-solution is easy to implement. I very much doubt that this will be read by anyone who can change the slightest bit about any of the sites that are bothering me, nor that it will really help anybody else out there, but regardless, I just needed to get this out here. Given the nature of hashes, there’s no practical reason to enforce a maximum password length, so please don’t. Aside from that, I’d still like to be informed when capitals are required.

Comments (2)Tags: