Sometimes I encounter a typical example of what I call “over-engineering”. Someone has been enthusiastically designing a webpage, and added a few business rules too many.
The example below could have been funny if the consequences weren’t so dangerous.
I was creating an account on the Vodafone 360 site. When I provided my password, I noticed they had a “password security indicator”. I was also pleased to see that I entered an extremely safe password; 4 out of 4!!
Then I got this message:
It says, my password is restricted to digits and characters only. And apparently, only capitals too. Isn’t that odd? It severely restricts me in providing a safe password, and it violates every guideline ever created about passwords.
Shouldn’t any designer who thinks of such a rule shouldn’t be fired on the spot? I mean, what was he thinking? The password strength isseriously reduced by limiting the allowable characters. The math is simple: a single character can be any key on your keyboard; digits, lowercase letters, uppercase letters, and symbols. A total of, let’s say 100 characters.
A one-character password can have a hundred combinations. A two-character password already a hundred times hundred (100²), or 10.000 combinations. And a three-character password 100³ combinations, summing up to 1 million. If I apply the restriction on this site, I can use 27+10=37 characters. 37³ = a maximum of 50653 combinations. Or 20 times less!
Not the programmer (or two seperate programmers implementing the two business rules), but the designer, tester, project manager AND the customer all should be punished in a terrible way for not thinking and communicating..
Amen 🙂