[sf-lug] passwords - trying to pick good ones, difficulties, and users, and vendors/websites

[Michael Paoli]

So, ... set up a nice secure password - made sure to use HTTPS,
indicates it has to be 6 to 14 characters, and contain at least
one letter and one digit, so I used:
nEc3Twj(ayq<Qq

Vendor then immediately emails (as part of the registration) the
password, without using encryption.  Bleh.

Okay, so let's see if I update the password and the vendor hopefully
won't also email the updated password.  Being sure to use HTTPS again.
I try:
kXvM*T<Pgb^9[W
but it won't let me use that, it gives me:
Password is Invalid. Must be 6-14 characters and contain at least one  
letter and one number.
Well, ... it is and does, so what aren't they telling me, and how much
weaker/stupider do I have to make the password for it to be accepted?

And we wonder why typical users get frustrated and pick weak passwords
like:
a00000
which, by the way, the site tells me for that weak password,
"Password OK."
(but no, I didn't click "Submit" on that weak of a password).

So I try:
mOr0xb%IR8LTPI
and I log out and try to log in again to make sure it works.
The login doesn't work - nor does it work with the prior password I set.
Buggers - the password change input likely mangles or truncates the
password in a manner different than the login authentication.
So, ... I go through the password reset thingy - emails me a weaker password
in the clear, and I use that and try again ...
another attempt, I finally get one that's suitably strong to my
liking, is accepted, and also works when I log out and back in to
confirm they got it right.

And we wonder why users often pick weak passwords - even if they might
be somewhat inclined to pick/use better - potentially much better
ones.

And yes, I'm going to check if they have some suitable contact or the
like to let them know about their password security and validation issues.