RANT: Websites that let users create invalid passwords

I like to create long complex passwords, and 1Password is a great tool for that.

Every once in a while, I come across a website that lets me create an account with a password that WILL NOT WORK with that website.

I just created an account at trulia.com, and used 1Password to generate this password: [font=courier new,courier,monospace]4&+2V3q[vq=Z3e[/font]

Trulia let me create my account which I saved in 1Password.

Then I logged out, and logged back in with 1Password to make sure it worked. (I always do this when creating a new account.) But it didn't work.

So I used Trulia's "Forgot password?" feature to reset it. I was able to log in with the password they sent me. Then I went to the "edit profile" screen to change my password. Again I entered 4&+2V3q[vq=Z3e as my password. It let me save that as my new password. Then I logged out, and manually tried to log back in. Again it rejected my password as invalid.

I reset my password again, and created a new password using only digits and upper & lowercase letters, but no symbols. This one works fine both manually, and with 1Password.

People who design websites like this have made at least two fundamental design errors:
  1. They allow users to enter invalid passwords when accounts are created, and also on their edit profile page (where passwords may be changed).
  2. They don't tell users about these restrictions. Nowhere does it say "symbols not allowed."



  • thightowerthightower T-Dog Agile's Mascot
    I had this issue the other day with TD bank.
  • I can't remember the site now, but I ran into this several weeks ago and it drove me insane. I asked myself the same questions. It also makes me wonder how badly they store the passwords on their backend (unencrypted even?), which makes me even more happy I'm using 1Password to generate unique passwords. There's no excuse for websites to not allow you to use the full ASCII character set and up to 128 or 256 characters for a password in this day and age -- if they're properly coded and escaped.
    Even better are those sites which *e-mail you your password*. I mean, really, who does that in 2011??
    Sorry to hijack your rant thread with another rant, but you're most definitely not alone.
  • khadkhad Social Choreographer

    Team Member
    I think all of us at AgileBits feel your pain on these matters. There are some steps we have taken to work with sites in areas of password restrictions, but unfortunately there isn't much we can do our end. If the form accepts the input (client side) but it is rejected on the backend (server side), 1Password has no way of knowing this to prevent the mixup or help in any way. :S

    It is frustrating.

    There really is no excuse for limits on character set or length of passwords in 2012. We're not there yet, but I thought I would be fair and give the offending sites a month to catch up with the rest of the secure world. :P
  • stevenjkleinstevenjklein Junior Member
    BTW, I sent an email to Trulia explaining the problem — that their "create a new account" password field doesn't use proper validation, allowing users to enter passwords that can't actually be used to log in. In other words, I did the troubleshooting to properly identify the problem.

    Here's their reply:
    Thank you for contacting Trulia. The mix of symbols is the cause for the password issue you experienced…

    I know that! That's what I told them in my original email!

    your feedback about additional messaging about acceptable letters or symbols in a password is great and I will forward it to our specialists.

    Well, yes, that's one possible solution. A better solution would be to fix the damn code! Do proper input validation, and either block people from creating invalid passwords, or design a system that allows those passwords to work.

    It makes me want to scream. Arggghhhh!

    (I really need to cut back on my caffeine.)
  • stevenjkleinstevenjklein Junior Member
    edited December 2011
    khad wrote:

    unfortunately there isn't much we can do our end.

    Rest assured, I do not blame the folks at Agile for the stupidity of others!

    Perhaps we need to publicly shame them somehow. Maybe a new forum folder to publicly name these miscreants. Then we can have an email writing campaign encouraging them to fix their buggy code.

    And I use the word buggy advisedly. After all, do these people claim they intentionally coded a system that lets users create passwords that don't work? Of course not. Well, if their code produces other than the desired behavior, that's what I call a bug!

    Here's another example: xanedu.com. These folks sell content I needed for a college course I'm taking. Their system also let me create a password that I then couldn't use to log on. When I called tech support, and identified myself, the person I spoke to said it was because of the symbols in my password. "How do you know there are symbols in my password?" I asked. The answer (as you've probably guessed by now) is that passwords are stored as PLAIN TEXT!

    Really, the more I think about this, the more I think the Agilebits forums need a hall of shame.
  • khadkhad Social Choreographer

    Team Member
    Rest assured, I do not blame the folks at Agile for the stupidity of others!

    Oh, I didn't think you did. I was just lamenting the fact that it was out of our hands. I'd love to be able to do something about it. :)

    Really, the more I think about this, the more I think the Agilebits forums need a hall of shame.

    Ha! I feel you on that. I'm not sure we want to get involved with "publicly shaming" anyone, though. Hopefully if enough of the sites' users write and complain it will make it harder for them to ignore. Putting together a list on the AgileBits forums would be very easy for them to ignore. ;)
This discussion has been closed.