Helping people with computers... one answer at a time.

Aside from historical reasons, there really is no good excuse for not allowing lots of special characters and long passwords as an option for users.

Since secure email passwords are critical and we should include symbols and special characters to increase security, I can't understand why ISPs such as AT&T U-verse, Comcast, etc., do NOT allow any of the above in setting up passwords. Their tech people just can't explain it. This boggles my mind.

In this excerpt from Answercast #59, I discuss possible reasons for password limitations and suggestions to keep your passwords secure.

Boggled by limited passwords?

It does me too to a certain degree. I kind of understand it; I'm not going to excuse it.

I honestly believe that you're quite right. There should be no reason not to allow special characters and in fact, there should also not be a length limit.

Length limits

We've been recently hearing about length limits imposed on Microsoft Hotmail accounts of only 16 characters. And while that might be sufficient, if you choose an appropriate 16-character password, I don't believe that it's enough. There is really no technical reason that a 16-character password should be required.

Legacy systems

So, with that little bit of griping out of the way... my understanding (the reason I at least sort of understand where some of this comes from) is that many of these systems (particularly the larger, older ISPs) have been around for so long that a lot of what they're dealing with is what we call politely "legacy" systems. Put another way these are "older than dirt" systems that were actually crafted back in the time when password length was not nearly as much of an issue - and in fact, password complexity wasn't as much of an issue.

And, on top of that, there were often barriers to using certain characters. There were escape characters that could not be transmitted between whatever it was you were typing on and the system that was receiving it.

I don't mean the Escape key. I mean characters that were used to signify something special. An exclamation point, or a dollar sign, or any number of things would actually be intercepted before they reached the destination system. As a result, you could type them all you want, but they might not actually show up in your password.

Current systems

There's no reason for that today. I'm not saying that's the way things work today. But it definitely is the way that many systems were architected in the past. Unfortunately, many of these systems that have come forward, even into this 21st century, are now built on some of the same code (or built with some of the same assumptions) that were requirements back in the day.

It's unfortunate. I really don't know a way around it other than complaining. Perhaps, I suppose a certain amount of public shaming of these ISPs... but the point is that you have to work with what they give you.

Creating secure passwords

If what they give you isn't sufficient for your needs, then you need to take extra steps. Extra steps including perhaps not using them for some of the more secure things that you might consider using them for. Or perhaps not using them at all and switching to a different system.

What we often say is that length is more important than special characters. So, I'm actually not as concerned about the number of special characters that are disallowed as long as the password can be made significantly longer.

By significantly longer, I'd say (I don't know...) a minimum of 20 to 30 characters at least. Some way that you can actually type in a "pass phrase," because those are going to be significantly harder for hackers to crack in many different approaches.

Unfortunately, like I said earlier, we have systems like Hotmail where they've artificially limited the length of the password. I don't know what their current stand is on special characters; I believe they allow special characters. But if a password is going to be artificially restricted to some annoyingly short length...

Length restrictions

Sixteen isn't quite annoying other than the fact it shouldn't need to be there. I know of systems that do allow only eight-character passwords! With those, you should definitely be allowed to, and you should be using random characters (special characters and so forth) to keep your password as secure as possible.

But the short answer is... aside from historical reasons (aside from the complexity of changing existing systems, large existing systems), there really is no good excuse for not allowing both lots and lots of special characters and having exceptionally long passwords as an option for most users.

Article C5890 - October 6, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
PC Resolver
October 6, 2012 2:48 PM

The worrying thing is that if they restrict the types of character or the length then it implies they are storing your password "in the clear". I.e. they are storing a copy of your password in their database in a human readable format. If their database is compromised then so is your password. If you happen to use that password on other systems then that has also been compromised.
They should 'hash' the password. 'Hashing' is applying a transformation to the password to turn it into a very very long string of characters and store that string in their database. When you subsequently log in with your password the same transformation is applied and compared to the answer. If the database is compromised the 'bad guys' only have your hash - if they use that as your password it will always fail.
Even this isn't totally secure so the best system includes adding 'salt' to the hash. This prevents 'rainbow' attacks.
The first step is to stop storing passwords in the clear and it is really disappointing that Microsoft have not upgraded Hotmail's security since they bought it years ago.
To answer the question (and to re-enforce Leo's answer) the ISPs don't allow these characters because their security is lapse!

I don't believe that these limitations imply that the system is storing the password in plain text. There may be other limitations in their architecture - between password acceptance and eventual storage - that impose these length and character set limitations. You're correct that salted hashes are the proper way to do this, but I believe that the only way to determine whether a password is kept in plain text is to perform a password retrieval - if they can tell you your password, then they have it in plain text. If they don't (i.e. they only allow you to set a new password) then no assumptions can or should be made.
Leo
08-Oct-2012

Ronny
October 7, 2012 8:36 AM

My employer has an older system that limits us to only six characters and they must be number, e.g. 0-9.

PC Resolver
October 8, 2012 10:38 AM

Of course you're right Leo. We can't deduce they are storing passwords in the clear. My logic was flawed. I don't know of another reason for limiting the size of the password and the type of character but that doesn't mean there isn't one!
Even my logic fails to explain why certain characters are not allowed. Perhaps it is a limitation of the algorithm they use to generate the hash (which may well be salted later) and therefore of much less a security concern.
On to your point about them sending the password to you in the clear: this proves that they store it in the clear but, unfortunately, just because a company does NOT send the password in the clear doesn't mean it isn't storing it!
Takeaway: use good but DIFFERENT passwords everywhere.

Peter B
October 9, 2012 1:30 PM

As an ex mainframe programmer, I can tell you that in the old days the problem was with character sets, where in different character sets (you could think of them as languages, though that's not accurate), while all of the standard simple characters (A-Z, a-z, 0-9) were represented by the same internal computer (hex) codes, there were different representations of special characters in different character sets. So if you happened to use a terminal with a foreign keyboard, your password might not be recognised, even though you pressed the 'right' keys. I'm not that familiar with character sets on the PC - my impression is that this is no longer an issue.

bob D.
October 19, 2012 9:37 PM

i tried to signup google email for me, they are too convoluted and stopped my clock by giving me ONLY a choice of name that showed me wrong and was not my style and was not what i wanted,

since i could not code it so not easily copied i just quit trying and thus use yahoo the easiest to signup for and so far as i am concerned the best on the net,

plus they got the best yahoo finance page where any idiot can comment without having to go to idiotville such as facebutt twit or other that require my password,

only an idiot more of an idiot than me would give their password to anyone, even tho any hacker can get it and most other sites already have it, it is the demand that frosts me,,,,

who are they to demand my password??? never gonna happen, i just click out of any that require my password, maybe foolish but i sleep better knowing i did not give it away and did not obey a dictatorial scam outfit like facebutt twit and the like.... ho hum

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.