I just tried to sign up to AirBNB using my email a@mydomain.com and got presented with a very unique error.
“You cannot use your email in your password”
Because the prefix of my email was a single letter, the system effectively banned me from using the letter ‘A’ anywhere in my password. I was forced to bypass my password manager and manually craft a custom string just to satisfy this ridiculous rule. I already know that the next time I try to log in, I will inevitably be clicking the “Forgot Password” button.
Many sites nowadays ask for “Password must be at least 8 characters, contain one uppercase letter, one lowercase letter, one number, and one special character (!@#$%^&).”*
Annoyed with this I always add exclamation mark at the end with the number 1 because both these keys are the same on the keypad.
Some websites will say “Password cannot contain your first name, last name, or email address.”
Every website seems to have its own unique, arbitrary set of rules created as they see fit. Some demand extreme complexity; some ban specific words; some forbid certain special characters while requiring others.
This isn’t just a minor annoyance but a massive user experience failure in my opinion.
Many websites also require you to change the password every X days/months and my normal response to this is changing my password1 to password2 or password3. This behavior is counter intuitive to what the websites intention was with changing the password.
NIST advises against mandatory complexity rules like the one AirBNB has just laid down. Instead, they emphasize length. A long passphrase like correct horse battery staple is much harder for a computer to crack than a short, complex password. I would think that it is also much easier to remember albeit with a minor inconvenience in typing.
I know some of you are arguing that just use the password manager but for someone like me who needs to work on IOS, Windows and Linux - password manager may not always be up to date and compatible in all environments.