Website Passwords: A Big Mess

TL;DR: You will inevitably be screwed when you try to change your website passwords.

So a few months ago, I changed all of my website passwords. I used a simple pseudorandom ASCII-only character generator to ensure the uniqueness of each one. In the process, I discovered that many websites have horrible, broken password interfaces.

This post is mainly a rant. Setting and changing passwords should never be difficult, and should be 100% transparent. We end users probably collectively wasted millions of hours with broken password interfaces, and will waste millions more until the issues below are addressed each time someone deploys a new website.

Special Characters

Many websites tell you a list of special characters that are not allowed in passwords. Sadly, this list is often incomplete. Worse still, some only accept alphanumeric passwords, but are silent as to this restriction — and to top it off, they don’t even bother to tell you why your chosen password is invalid! The gall.

It appears that the restriction against special characters is largely a matter of legacy vs. modern platforms. Newer websites like Wikipedia allow you to choose any character from a US ASCII keyboard. Many older institutions (Bank of America, for example) have very strange special character restrictions, which almost seem arbitrary (did you know that Bank of America calls passwords “passcodes”?).

What needs to be done: At a minimum, allow input of ALL characters from a US ASCII keyboard ([a-zA-Z0-9] and all punctuation characters and spaces (tabs are impossible to type into a text field in some browsers, so they can be excused)).

Password Length

This is the biggest problem. For roughly 1/2 of my website passwords, they have a maximum character limit. Some even enforce a 12-character limit ( is one example). Some enforce a 16-character limit (, has a 15-character limit (no space s allowed, alphanumeric only).

But the best part is this: many of these sites do not tell you about this limit. So, you can spend 5, 10 minutes thinking out a great mnemonic device for a fantastic password, and you’ll get hit with some “Invalid Password” error. Yet another well-meaning user slapped in the face.

Many sites are fixated on only preventing 3, 4 character passwords by implementing an interactive “password strength” meter that rejects short passwords. But they still fail to tell you that your password is too long.

EDIT: Bela pointed out in the comments another common bug: the site will happily accept your chosen password, but will truncate it to a shorter length (without telling you any warnings about it, of course).

What needs to be done: Explicitly tell the user exactly how many characters they may use, and if the password is too long, tell them about it.

Stupidity Award:

If you change your password at this site, be extremely careful: DO NOT choose a password that is more than 30 characters long. When I changed my password to a 50-character long password, it happily accepted it. Unfortunately, the actual log-in interface only lets you type in 30 characters long! Since has no contact information, you’ll have to call someone somewhere somehow to sort out this mess.

Realistic Outlook

Legacy systems are really, really hard to migrate out of. My prediction is that the stupid, broken web interfaces will continue to thrive for at least 20 years. Why? It’s because people in 2031 will still be using passwords that are around 10 characters long with mostly alphanumeric symbols. Sure, web standards will have evolved by that time, but human brains will still be the same. The steady flow of 10-character passwords by the overwhelming majority of users will ensure that legacy systems remain competitive, at least when it comes to dealing with passwords.

Hopefully, by 2111, we’ll have sane password interfaces for all websites. Perhaps it will become a web standard by then, enforced by an international e-court, or some such.

2 thoughts on “Website Passwords: A Big Mess

  1. One more lame behavior on some sites: it will accept long passwords, but only pays attention to a short password.

    What you described on locked you out.

    What I’m talking about is: you give it the password “Pa55w0rD_blargldyboop”; it saves 8 chars; you can login with just “Pa55w0rD” or “Pa55w0rDzort” or whatever.

    I generally use a scheme like the above: a generic prefix plus some sort of site-specific gibberish. Usually about a 2-step free association from the site name, and garbled.

    At least one site ended up with just the prefix as my password, until I noticed. I forget how I noticed. Maybe I fumbled my fingers, hit Enter before I could stop, was surprised to login successfully, then went back to investigate.

  2. Hi Bela! I remember you!

    > What I’m talking about is: you give it the password “Pa55w0rD_blargldyboop”; it saves 8 chars; you can login with just “Pa55w0rD” or “Pa55w0rDzort” or whatever.

    Yes, I totally forgot about this one. Newegg did this to me (and some other high-profile sites as well).

    > I generally use a scheme like the above: a generic prefix plus some sort of site-specific gibberish. Usually about a 2-step free association from the site name, and garbled.

    I gave up on trying to write human-friendly passwords… All of my pseudorandom passwords are stored in an encrypted file, and I honestly do not have any of them memorized. I could go with a diceware word list appraoch like in the xkcd comic or some custom scheme like yours, but that would mean that (1) I would have to memorize the password, and (2) since I have like 25+ sites, I’d need 25+ unique passwords to keep in my head.

    Interestingly, I realized that 99% of the sites that I have logins for are really unimportant. Only a handful of sites have my credit card information in them. So, it’s not a bad feeling knowing that I don’t have any of my new passwords memorized.

Comments are closed.