gistfile1.txt

First off, I need help; I've tried generating several, ridiculously
(unnecessarily.) complex passwords to meet your system's silly rules,
and with *none* of them, can I successfully get beyond the “your
password has expired” page. I simply keep getting told “Password must be
stronger!  Password must be stronger!”, even when I've filled your damn
little green bar up all the way. There's not even any feedback as to
*what the requirements are* that I am apparently failing! (I cannot
imagine what password requirements could be so draconian that these
examples are failing the test: ‘password must require upper-plane
Unicode?’ ‘individual bytes of characters must form a sequence, when
multiplied times eachother, that resolves into a mersenne prime?’
‘password will be e-mailed to our technically incompetent management
team, who will read it, and decide if they think it “sounds” secure,
then get back to you within 60 business days?’)

My username is apparently ‘<SNIP>’, according to the physical mailing I
got when one of my investment advisors signed me up for your service.
(Why are you even calling it a ‘username’ if it's a sequential number?
o_O)

Some of the randomly-generated passwords I've tried, all of which were rejected by your service:

- "5B3710FA3F486B1CCFF3C42805079EC206F91F75F46918478193501B1096A987A907EA14F68B65E09FEA196DB66C4D3F6A02439D35D786A7F12FAB4FDE643BF9`
- "are you fucking kidding me with this shit right now, here, have some number and shit: 124564891467A5fhuRAE (and I'll even add some special characters: !@#$%)"
- "L%t&6DNmKszm"6#gC}Ipq.]w!#z#OBJ8Upd9<779E5K1U?/l~}?)+-nvgeS-R7:`iKw'GHUX_uW:npbwyB68|D$8[nzZxp*G:P}z.K>c!4<m7/k62eMtmh"UD8x4r%KWjqC#4;)O$eO$Qd^_DS\B%*O?xa$+E_?0k8XE']\pj{u;PmEoyb!Ry}W*R4`h_"

(Not even kidding, that last one wasn't accepted.) I'm running out of
ideas for passwords. So. Please fix that. I cannot *fathom* how your
normal, non-technical clients are using your site at all …

Additional issues
=================
In *additional* issues, you have some problematic client-side script …

1. … that's wiping out the ‘confirm your new password password’ box,
shortly *after* the ‘enter a new password’ gets modified: this means,
when my browser generates a secure password *for* me, it fills in both
blanks … and then your script immediately wipes out the second blank,
leaving me unable to enter that auto-generated password in the second
field easily. Please, stop doing *that*, too. [This is also problematic
for disabled users browsing through extensions.]

2. … that's preventing me from *even using the page* [the submit button
disappears], when I have JavaScript disabled, which I tried to do to
avoid the fucking problems I mention above. There's plenty of serious,
and valid, reasons for a user to have JavaScript disabled; not the least
of which are security and accessibility concerns. Please fix this.

Soapboxing
==========
Now, time for me to get up on my soapbox:

Password requirements such as these are *completely* unnecessary, and
detrimental to both your users' security, and the security of the system
as a whole. A long, and simple, passphrase, is *easier for your users to
remember,* and **PROVABLY HARDER for an attacker to break by brute
force**, than a short passphrase following complex (and user-unfriendly)
rules such as yours.

Please. Do me a favor, don't dismiss this e-mail, and forward it
immediately to your engineering team. They'll understand (well,
hopefully), and know what to do, to make *my* (and your other users')
lives, as well as your own, easier.


⁓ ELLIOTTCABLE — fly safe.
  http://ell.io/tt


postscript: some required readings
=============================
 - <http://security.stackexchange.com/q/16455/17660>
      "Why do password strength requirements exist?"

 - <http://stackoverflow.com/q/98768>
      "Should I impose a maximum length on passwords?"

 - <http://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html>
      "Who’s who of bad password practices"