|Manitoba Golf Forum
|Password Strength Restrictions
|Page 1 of 1|
|Author:||chris_284 [ Mon Apr 11, 2011 2:27 pm ]|
|Post subject:||Password Strength Restrictions|
I tried to log in to the forum today (I haven't been on in months... such is the case when you live in a province where you can't golf for 6 months) and I couldn't remember my password. I was putting in the username and password that I generally use for all different forums around the internet. It was working and I couldn't figure it out. I was gonna give up and just not come to the forum to post what I had to say but I decided to persist because I was bored.
I pressed on forgot password, and had a new one emailed to me. When I went to change my password to something I would remember I saw this under the 'New Password' field.
"Password must be between 10 and 20 characters long, must contain letters in mixed case and must contain numbers."
As a software developer and someone who works with coding applications and graphical user interfaces everyday, this could definitely be preventing people coming back to these forums and affecting the amount of people you get coming to your site.
In general, people are a part of many different websites that require a username and password. I alone have 4 email accounts I maintain, 2 computers at home, my computer at work, half a dozen forums, ebay, paypal, banking information, credit card bill information, the list is seemingly endless. I just named 17 different locations that I need a password for off the top of my head, and there are likely 30+.
Of course, I do NOT have 30 different passwords. No one does. It's hard enough remembering 5.
Most people have 1-3 passwords they use for everything. It's not practical for people to remember anything more than that. I have about 3-4 that I use for different things.
I have one that I use for anything I deem needing extra Security. This is longer than most containing numbers and special characters. Paypal, banking, credit card, email, etc. Sensitive information related.
Then I have my work computer. Often offices require a person use a password 8 characters in length with at least 2 numerics and one special character.
Finally, I have my everything password. It get me into places I don't consider sensitive at all. Forums, etc.
After sitting at the New Password field for a few minutes I realized it was pointless to enter a new one, from the auto generated random password sent to me in email. There is no way I will ever remember a password 10-20 characters long that needs mixed case, numbers, etc.
While I could use my 'Secure' password that I use for everything, I never would on a forum. Forums generally aren't the most secure at saving passwords, and if I ever lost it, a lot of secure stuff for me would be at risk.
Anyway, this restriction the forum imposes on users for a password is likely keeping people from coming back to the site. They come back in April, or after a month of inactivity, and because less than 10% of people have a password more than 6 characters in length and all made of letters, they don't bother trying to figure out how to get back onto this forum.
This forum, like 99% of the others should follow the same standard. I don't know what it is but its likely a minimum of 4-6 characters, with no restrictions on character types. A forum is something that doesn't need to be more secure than that.
You'd be surprised at the amount of simple GUI designs that keep/drive people away from sites and applications. [For good examples of the opposite look at the popularity of the iPhone. Great GUI, so easy to understand and use. For a better one look at the front page of Google. It hasn't changed its look since it start in 1996 and because of its simplicity it is now a powerhouse]
|Author:||ForumAdmin [ Mon Apr 11, 2011 6:56 pm ]|
|Post subject:||Re: Password Strength Restrictions|
I can understand how our password complexity requirements can cause problems and I apologize for any issues it caused you. As you probably know having weak passwords can be just as bad for a forum or anywhere. I guess I should find a better middle ground.
It's funny you mention no one has 30+ passwords because I have well, well, well over that with everything that I do and no two passwords are identical. Not even for forums. Not even for my many email accounts. I shouldn't assume everyone can remember passwords like I do though. I have a certain technique I use when creating complex passwords that just makes it easy for me to remember long strings of characters, numbers, and symbols passwords.
I could point you to thousands of sites and software with very poor security. It's bad enough with all the constant updates that open up new security holes that need patching. Speaking of the iphone, they are constantly patching security holes. Of course not everyone is able to take advantage of security holes, and those of us with the knowledge that could if we wanted to don't and we report holes as we find them, but there are those out there that can do damage when they find these holes. Just like someone can do damage when they find a person with weak or identical passwords for banking, PayPal, ebay, emails and even forums.
Every time I talk to someone who has had their email, banking, facebook, account passwords cracked, I find they have weak or identical passwords for multiple accounts.
I can give you an example of how easy it is to figure out people's passwords, but I don't want to advertise that online.
|Page 1 of 1||All times are UTC - 6 hours|
|Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group