It’s been a while since I’ve grumped about the dumb password rules you find on some sites. They have limits on password length, insist on some custom requirement concerning the number of digits, capital letters, and special characters, or, worst of all, they restrict the character sets you can choose from.
Anytime I see “you can use only the special characters…” I know that the site is insecure and probably storing the passwords in plain text, Why else would you care? The sad thing is that this is a solved problem. We KNOW how to hash and salt passwords and there are turnkey solutions in almost every language used to build Web sites that do so with a simple call. There’s no excuse for the moronic homegrown schemes that do nothing but decrease security.
If you want to enrage yourself, take a look at Dumb Password Rules and the list of sites and their rules. Again, there is no excuse for those stupid artificial restrictions. Anytime you see a limit on password length or a limit on the characters you can use, you can be sure the site isn’t doing the right thing. Sites that do these things should be shunned and shamed until they clean up their act.
But, of course, they won’t be. Instead they’ll continue to promulgate non-sensible rules that serve only to make you and their site less secure. And we’ll all suffer.