Opinion: Why no special characters in passwords? Are you a target?

I regularly enter passwords into websites, and am told after I've entered a new password, that I can't use any special characters.

Why exactly?

If I see a site that won't deal with special characters properly, it immediately makes me think there's some pretty poor coding going on under the covers. Very likely, the developers haven't thought through how the parsing of requests, etc. should be handled.

It's not just special characters either. Requiring short passwords is another red flag.

And if you're still using complexity rules (like at least one upper, one lower, one numeric, etc.), read the NIST recommendations on this:

NIST's new password rules – what you need to know

Attack target?

If your website won't allow special characters in passwords, or reasonably long passwords (like a passphrase), it's an indication of poor coding, and it also makes you look like a potentially good target for attacks.

It certainly doesn't make your company look good.

Don't do this!

Leave a Reply

Your email address will not be published.