Password policies and sign-up interfaces

qr-code for this page's url

Today I came across another stupid site with confusing password interface/policy.

When signing up for an access token to a "Boris Bike" have to provide a password for your new account (OpenID is a good idea but unheard of outside tech-savvy sites). The web site helpfully gives you a hint "Minimum of 8 characters. Your password should contain upper and lower case letters and at least one number." No mention of special characters or an enforcement, but hey it's just a token ey? Of course, when you ignore their suggestion you'll get an error stating that in fact you do have to use upper and lower case characters and digits. Duh. Web designers and programmers not agreeing on policy?

Of course that's still miles better than Lloyds-TSB's "Visa secured" (or whatever it's called) system. For starters it doesn't even allow anything other than letters and digits in passwords (they don't tell you of course waiting for you to try so they can spring an error message on you) nor do they tell you any requirements (until you get an error message telling you what you have done wrong). For the purpose of this post we'll even forget that to sign up all you had do know was some hardly private information about me or that these security screens from my bank on vendors' web sites are just the best training to teach people to be phished…

Rant over.