Passwords: Secure websites thwart security

I’m so #*&@*$! frustrated with websites which limit the range of characters I can use in passwords.

I’ve adopted the fairly standard approach of creating three username/password pairs: one for high security sites like banks, one for medium security things like gmail, and one for low security sites. This means I only need to remember three sets of things, and if one is compromised, it only compromises sites at similar security levels.

I choose reasonable passwords for each. E.g., fairly long (more than 10 characters), mixed case, including digits and special characters.

However, this only works if all sites accept passwords that are that good. Or, if you’re willing to compromise password strength, it only works if there is a password, any password, that all sites will accept.

Unfortunately there isn’t such a password.

I use sites which variously require:

• No more than a 5 characters. (Think PIN.)
• No fewer than 6 characters.
• Must have a special character.
• No special characters allowed.
• Must have a capital letter.
• Only numbers allowed. (Think PIN.)

So there is no single password which can work across these sites.

You’d think that all bank sites (at least) would allow long passwords of any characters. However banks are typically the worst, frequently requiring a PIN (exactly 5 numbers). (For some reason, their website passwords must also work at ATM’s.)

So not only am I forced to use a less secure password, I’m forced to create more passwords than I need (and than I can remember). So I’m forced to write them down — another insecure practice.

Why are there ANY websites today which disallow long passwords made up of any characters? (Since passwords should really be stored as secure hashed values of the strings, never the actual cleartext, any length string of any characters should easily be allowed.)