It’s 2007. There’s absolutely no excuse for websites today to not allow special characters in their passwords. Whether you use a memory scheme or an encrypted database application for generating and storing your passwords, it’s highly annoying when you come across a site that requires you to lower your password security standards based on character length or complexity.
Few things are more annoying then using your regular algorithm for building a password (one that uses upper, lower, numbers, and special characters) only to have the site tell you that you need to dumb it down in order for it to take it. And it’s even worse for those using password programs that auto-generate extremely long and complex passwords. Having a site tell you your security is “too good” is simply unacceptable.
So after being bothered by this one too many times I blogged about it and created a post in the BBR Security forum asking for sites that have this flaw. Here’s the list we’ve come up with so far:
- Digg !
- Suntrust Bank
- Chase Bank
- Wells Fargo Bank
- Sovereign Bank
- BB&T NASA Credit Union
- Space Coast Credit Union
- Merrill Lynch
[ Please contact me with additions and corrections/deletions ]
The ones that stand out are the financially-oriented sites, obviously, but the fact that Digg doesn’t allow special characters just blows my mind (Reddit does). Surely one can make an argument that passwords are weak anyway, that password length is the most important issue, and that most sites have lockout features, etc., but ultimately the arguments for not implementing this are lame for a simple reason:
It’s trivial to implement and sites only have to do it once. So even if the security gain is minimal there’s just no good reason not to do it.
The bottom line comes down to this: people should be able to use advanced memory-based techniques or password applications that generate very long, complex passwords and have them work everywhere. Sites that force users to lower their standards should be exposed and asked to modernize.
So if you use one of these sites, do the Internet a favor and contact customer service and file a complaint. With enough attention I think we can get at least a few of these to do the right thing.: