User accessibility, and keeping the bad guys out

, posted: 11-Jun-2012 06:00

As a developer, all the systems we create have end-users.  There is a delicate balance between make sure a user is who they say they are, and stopping unauthorised access.  Make it too easy and their data can be compromised - too difficult, and our helpdesk gets flooded daily with calls from users who can't legitimately get into their systems.  The tried-and-true method for user/pass combination is email address and a password.

As a user, I hate systems that impose ridiculously complex rules when it comes to me selecting a password.  If I pick a password that is ridiculously simple, I should suffer any adverse implications for my poor decision.  Making me remember a login that isn't my primary email address (such as a username/account ID) is just as annoying.

The worst offender for a system I use often is our credit card processor - if someone did get access to my account, the worst they could do is transfer funds to our company bank account.  Nothing else remotely useful is available, yet they enforce a very complex pattern, and make me change it every month.

Another good example of this is in a recent thread by Geekzone user Lurch - he highlights the issue of signing up to Vodafone's careers site:

Please note that the password must respect the following rules:

  • It must contain between 6 and 50 characters. Use only characters from the following set: ! # $ % & ( ) * + , - . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ \ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
  • It must contain at least 2 letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz).
  • It must contain at least 1 numeric character(s) (0123456789).
  • It must contain at least 1 character(s) from the following set: ! # $ % & ( ) * + , - . / : ; < = > ? @ [ \ ] _ ` { | } ~
  • It must not contain more than 2 identical consecutive characters (AAA, iiii, $$$$$ ...).
  • It must not contain your user name.
  • It must not contain your email address.
  • It must not contain your first name.
  • It must not contain your last name.

Just to sign up to a careers site, you have to jump through all these hoops.  Over the top much?

I originally had a whole blog post here outlining what I think is a better solution, but instead micsco's post from xkcd sums it up far better than I can:


Other related posts:
eWay response codes as a file
Fixing strange characters printing on Epson receipt printers
Extending Xero through their API

comments powered by Disqus

nate's profile

New Zealand

I'm Nate Dunn, and I work for 3Bit, and am a moderator here at Geekzone.

Use Autotask and Xero? Sync data between them with My Accounting Toolbox.

Use Xero and SagePay? Get your invoices paid faster using HostedPay.


The views and opinions represented on this blog are personal and belong solely to the blogger and do not represent in anyway those of 3Bit Solutions Limited or any other company.

Latest posts

Cyber attacks on NZ small busi...
How one database query can fix...
Review: Navman MiVUE680...
Review: Huawei P9...
Poor man’s automation - ...
App Review: WorldRemit...
eWay response codes as a file...
International podcast conferen...
Is the Nexus 6P the perfect An...
Review: Huawei G8...