Digg and Reddit: Please Learn The Difference Between Original Content and Blogspam

It’s 2007. There’s absolutely no excuse for websites today to not allow
special characters in their passwords. Whether you use a memory scheme or
an encrypted database application
for generating and storing your passwords, it’s highly annoying when you
come across a site that requires you to lower your password security
standards based on character length or complexity.

Few things are more annoying then using your regular algorithm for building
a password (one that uses upper, lower, numbers, and special characters)
only to have the site tell you that you need to dumb it down in order for it
to take it. And it’s even worse for those using password programs that
auto-generate extremely long and complex passwords. Having a site tell you
your security is “too good” is simply unacceptable.

So after being bothered by this one too many times I blogged about it and
created
a post in the BBR Security forum
asking for sites that have this flaw. Here’s the list we’ve come up with so
far:

• Digg !

• Suntrust Bank

• Chase Bank

• Verizon.net

• Wells Fargo Bank

• Sovereign Bank

• Americanexpress.com

• BB&T NASA Credit Union

• Space Coast Credit Union

• Earthlink

• Cafepress.com

• Equifax.com

• Progressive.com

• Merrill Lynch

[ Please
contact me
with additions and corrections/deletions ]

The ones that stand out are the financially-oriented sites, obviously, but
the fact that
Digg
doesn’t allow special characters just blows my mind (Reddit
does). Surely one can make an argument that passwords are weak anyway, that
password length is the most important issue, and that most sites have
lockout features, etc., but ultimately the arguments for
not implementing this are lame for a simple reason:

The bottom line comes down to this: people should be able to use advanced
memory-based techniques or password applications that generate very long,
complex passwords and have them work everywhere. Sites that force users to
lower their standards should be exposed and asked to modernize.

So if you use one of these sites, do the Internet a favor and contact
customer service and file a complaint. With enough attention I think we can
get at least a few of these to do the right thing.: