Dear Web Developers:
Stop it. Honestly, just stop it.
I am not an idiot. I do get that my passwords need to be complex enough and not the same as my login and should contain letters and numbers and all that. I get it. I'm one of you. I probably know it better than most of you do.
But another thing I get — clearly better than you — is that, as a user attempting to select a new password, I need to know the rules before I try a password!
"Please enter new password" helps me about as much as "Select the number I'm thinking of." I cannot tell you how many times I've had the following interaction.
Site: New password:
Site: Invalid password. New password:
Really? You're not even going to tell me what the constraints are? I'm just supposed to intuit it? Without any input? Was the * invalid? Did I not have enough digits? Was it too long? Too short? For the love of God, give me the rules before you ask me to give you a new password!
Another common exchange goes like this.
Site: New password: ________ (Must be at least 6 characters and contain 1 uppercase, 1 lowercase, and 1 digit.
Site: Invalid password. Length must be between 6 and 12 characters.
Site: New password: _________ (Must be at least 6 characters and contain 1 uppercase, 1 lowercase, and 1 digit.
Site: Invalid password. '*' is an invalid character. Only $,%,&,_, and + are allowed.
Site: New password: _________ (Must be . . .
Those whole 'maximum length' and 'allowable characters' bits are crucial for me to know how to create a password worthy of your system, so you need to give me that fucking information before asking me to supply a password. And don't dole it out to me one precious fact at a time! Give it to me all at once and before I am asked to supply a password! Does this seriously never occur to anyone inside your corporate think-tank? Did no one in your development department or your quality assurance department think to question this? Well, they should have.
Also, this is the 21st century. You should accept passwords longer than 8, 12, or 16 characters. Those are woefully inadequate, and if you were on top of things (like you should be), you'd know that longer is better. My default length of password is 24 when I'm not sure, and 32 if I suspect that it might be allowed. Passwords that look like this: @mmmrlP4@vs2J@^MO9vNnHZV.
But no, I'm constantly told that 24 characters is too long. That characters like ^ or @ are invalid. I've even seen some systems where the upper limit on password length is six characters. And some of them don't even require a mix of cases or digits. Seriously. A nine-year-old with very little formal training could crack that without breaking a sweat. While catching the latest Pokémon and Snapchatting the entire thing.
So, all I'm asking, really, is for you to use common sense and to think these things through. Put yourselves in the user's place. As a user, yours is not the only site/app I'll be using. I know! I know! Hard to accept, but stay with me! So I might have questions when creating a password for your site/app, such as "How long does it need to be? How long is too long? What characters are required? Are there any invalid characters?" A good web developer does this.
Be a good web developer.
This has been a mini-rant caused by just one too many stupid sites that don't tell what the goddamned constraints are before asking me to create a password.