Goddamn it, there should not be any fucking arbitrary "you can't do a password without [x]" bullshit. Like, your password has to have a capital letter, a special character, but not a period or comma or a dozen other characters, and it has to be at least 6 but no more than 10 characters long, and your password should have a prime number in it and be in the metric system, every other character should be capitalized, and sacrifice your firstborn to us, but only if you give us 10% of everything you own when you die, your mother's maiden name, and your porn name. Oh and we'll only give you three chances to get all that right or the account will lock up for a day or so.
Honestly, I am quite capable of making secure passwords by myself without all these fucking arbitrary rules! This bullshit is making things 10 times harder than they need to be, and it's all false security anyway because you can always reset the password anyway if you can get into the email account.
I tell you, the most sensible password things I've seen to date are Google and TrueCrypt. TrueCrypt will accept whole sentences as a password, without bitching about spaces and periods and question marks and so on. And while Google isn't quite that good, it doesn't have many of these arbitrary rules (just doesn't like spaces and periods and commas, I think), and you can add more security by linking the account to a cell phone and/or requiring verification codes (which I can lock in a text file inside of a TrueCrypt vault).
Honestly, web sites, if you would stop quibbling about pointless details and basically go the TrueCrypt route and allow any fucking characters we want, and whole sentences, then that would be much more secure and a hell of a lot less hassle.
This was cross-posted from http://fayanora.dreamwidth.org/1204529.html
You can comment either here or there.