Over the last couple of years there’s been a lot of debate over how web authentication should work. On the one hand you have traditional web sites where you have to register before you can use them, which involve selecting a user name and password, and then you have recent open standards for authentication like OpenID that allow you to authenticate using a common, predefined set of credentials.
The OpenID approach never really excited me like some others. I have never had a problem with multiple web site accounts, since I have a scheme for selecting user names and passwords that seems to work fairly well. The problem is for some sites it’s not feasible to outsource the authentication to a third party provider. Things like the site for managing your retirement account, or your bank’s web site. Unfortunately the biggest issue I keep seeing with these types of sites is most of them have very strange, very bad password requirements.
Case in point: forcing you to select a password that is no more than 8 characters, or cannot contain non-alphanumerics. That’s just insane. The best way to create a strong password is to make it long and include a variety of characters types (letters, numbers, symbols, etc). I find it hard to believe these institutions are so strapped for space on their database server/mainframe that they can’t afford a few more characters per password. Likewise, what modern RDBMS doesn’t support the standard non-alphas that people tend to use?
It boggles the mind.