Dear Online Services,
Do not force me to change my password. Ever. I use very long passwords that are generated for me that would take a long time (more than 10 minutes) to crack; and I know that you have software to disable the account after some number of attempts. Yes, LinkedIn, not all of your users are so stupid as to have the same password on Gawker as on LinkedIn. Lay off my data! That password is mine, not yours!
Because I generate the passwords with a master password and create a hash based on that password and your site, they are quasi-random. If you force me to change your stupid password, then I have one account for which my master doesn't work. That really sucks. When you have tens if not hundreds of passwords, one or two exceptions creates a lot of pain.
And while we're at it, usbank.com (yes, you): If you're going to have a maximum length for a password, and allow it at login but not when you change your password, how about mentioning that on your awful site?
John
comments powered by Disqus