Bad Password Practices

Every now and then I create an account on a new website. Since numerous websites get breached, I choose a unique password for each website. All those are stored in a password manager. If you want to have a feeling for the number of breaches, look at Have I Been Pwned. Those are only breaches which became public, there are probably many unreported cases for each public one.

In my password manager I try to create long random passwords which contain letters, digits, and some special characters. Sadly, most of the time I get error messages like this one:


Passwords should be hashed for storage. Therefore it does not matter if there are any “illegal” characters in there. Why are they illegal anyway? Because they could make a SQL injection? Either way, this looks dubious. Perhaps they only want to make sure that people can type their password on a normal computer keyboard or a mobile phone.

The length is really strange. Whey would the length matter? I understand that one restricts the length because one would not want to hash multiple megabytes worth of password. But limiting to 20 characters and banning certain characters sounds like VARCHAR(20) to me.

At least I am allowed 20 characters on that site. On another site, it is limited to 10 characters:


It also has to contain one digit and one letter. This is something that I can easily create in my password manager. The next one is a bit tougher:


Here I have to have between 8 and 13 characters, “valid characters”, at least one upper case and one lower case letter, and at least one number, but not at the front. Luckily I can generate something which maxes out the possible entropy and just store that in the password manager. If you try to remember such a password, you will have to make sure your memorization scheme allows for all those constraints.

Every time I have to change the settings on the password generation page. It would be really great if I could just have it set to some length and several sets of character classes. Then I could generate the same kind of password for each website and would be over with it. Those extra rules make this impossible.

Another one with length limitation:


Or just ten characters:


The best one is this right here:


It does not even say what the maximum length is! So I had to look at the maxlength attribute of the input tag with the developer tools. Seriously?

My Samsung printer has it even worse: The maxlength on the page where I set the password is higher than the field where I have to enter the password. This way I managed to set a password which I cannot possible enter any more.

On this page, you only have to enter your password once to set it. And it also has to be between 8 and 20 characters:


I would really like for this madness to stop and use my random passwords on every site. Most of the time you contact the company and they do not do anything about it. If I get a response, it is just something like the “We take security very seriously” mantra.